diff --git a/src/app.ts b/src/app.ts
index fb6ac7fe..271b6699 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -47,6 +47,30 @@ export async function configureApp(app: Express) {
   // request loggers have to be the first middleware to be set in express
   app.use(morgan('dev'));
 
+  const corsOptions = {
+    allowedHeaders: [
+      'DNT',
+      'Keep-Alive',
+      'User-Agent',
+      'X-Requested-With',
+      'If-Modified-Since',
+      'Cache-Control',
+      'Content-Type',
+      'X-StApps-Version',
+    ],
+    credentials: true,
+    maxAge: 1728000,
+    methods: ['GET', 'POST', 'PUT', 'OPTIONS'],
+    optionsSuccessStatus: 204,
+  };
+
+  // allow all origins on all routes
+  app.use(cors(corsOptions));
+  // TODO: See if it can handle options request with no content-type
+
+  // allow cors preflight requests on every route
+  app.options('*', cors(corsOptions));
+
   // only accept json as content type for all requests
   app.use((req, res, next) => {
     // get the content type
@@ -158,30 +182,6 @@ export async function configureApp(app: Express) {
 
   app.set('env', process.env.NODE_ENV);
 
-  const corsOptions = {
-    allowedHeaders: [
-      'DNT',
-      'Keep-Alive',
-      'User-Agent',
-      'X-Requested-With',
-      'If-Modified-Since',
-      'Cache-Control',
-      'Content-Type',
-      'X-StApps-Version',
-    ],
-    credentials: true,
-    maxAge: 1728000,
-    methods: ['GET', 'POST', 'PUT', 'OPTIONS'],
-    optionsSuccessStatus: 204,
-  };
-
-  // allow all origins on all routes
-  app.use(cors(corsOptions));
-  // TODO: See if it can handle options request with no content-type
-
-  // allow cors preflight requests on every route
-  app.options('*', cors(corsOptions));
-
   // load routes before plugins
   // they now can be used or overwritten by any plugin
   app.use(