diff --git a/CHANGES b/CHANGES
index 0e747bb6c..20861a0fc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3141,4 +3141,5 @@
 * filemanager: the terminal button automatically cds into the cwd
 * filemanager: add a tree view
 * passkey support
+* security: remove cors
 
diff --git a/src/test/server-test.js b/src/test/server-test.js
index 414715883..764df0f76 100644
--- a/src/test/server-test.js
+++ b/src/test/server-test.js
@@ -79,28 +79,4 @@ describe('Server', function () {
             expect(error).to.not.be(null);
         });
     });
-
-    describe('cors', function () {
-        before(server.start);
-        after(server.stop);
-
-        it('responds to OPTIONS', async function () {
-            const response = await superagent.options(SERVER_URL + '/api/v1/cloudron/status')
-                .set('Access-Control-Request-Method', 'GET')
-                .set('Access-Control-Request-Headers', 'accept, origin, x-superagented-with')
-                .set('Origin', 'http://localhost');
-
-            expect(response.headers['access-control-allow-methods']).to.be('GET, PUT, DELETE, POST, OPTIONS');
-            expect(response.headers['access-control-allow-credentials']).to.be('false');
-            expect(response.headers['access-control-allow-headers']).to.be('accept, origin, x-superagented-with'); // mirrored from superagent
-            expect(response.headers['access-control-allow-origin']).to.be('http://localhost'); // mirrors from superagent
-        });
-
-        it('does not crash for malformed origin', async function () {
-            const response = await superagent.options(SERVER_URL + '/api/v1/cloudron/status')
-                .set('Origin', 'foobar')
-                .ok(() => true);
-            expect(response.status).to.be(405);
-        });
-    });
 });