diff --git a/net/server/internal/api_status.go b/net/server/internal/api_status.go
index 730769e6..5b5d7715 100644
--- a/net/server/internal/api_status.go
+++ b/net/server/internal/api_status.go
@@ -23,6 +23,11 @@ func Status(w http.ResponseWriter, r *http.Request) {
   // send ringing updates
   ringMode := r.FormValue("mode") == "ring"
 
+  // allows cross origin websocket in dev mode
+  upgrader.CheckOrigin = func(r *http.Request) bool {
+    return true
+  }
+
 	// accept websocket connection
 	conn, err := upgrader.Upgrade(w, r, nil)
 	if err != nil {
diff --git a/net/server/main.go b/net/server/main.go
index e513821f..0288430d 100644
--- a/net/server/main.go
+++ b/net/server/main.go
@@ -78,13 +78,14 @@ func main() {
 
   router := app.NewRouter(webApp)
   origins := handlers.AllowedOrigins([]string{"*"})
+  headers := handlers.AllowedHeaders([]string{"content-type", "authorization", "credentials"})
   methods := handlers.AllowedMethods([]string{"GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS"})
 
   if cert != "" && key != "" {
     log.Printf("using args:" + " -s " + storePath + " -w " + webApp + " -p " + port[1:] + " -c " + cert + " -k " + key + " -t " + transformPath)
-    log.Fatal(http.ListenAndServeTLS(port, cert, key, handlers.CORS(origins, methods)(router)))
+    log.Fatal(http.ListenAndServeTLS(port, cert, key, handlers.CORS(origins, headers, methods)(router)))
   } else {
     log.Printf("using args:" + " -s " + storePath + " -w " + webApp + " -p " + port[1:] + " -t " + transformPath)
-    log.Fatal(http.ListenAndServe(port, handlers.CORS(origins, methods)(router)))
+    log.Fatal(http.ListenAndServe(port, handlers.CORS(origins, headers, methods)(router)))
   }
 }