diff --git a/src/middleware/cors.js b/src/middleware/cors.js
deleted file mode 100644
index 9d62d1fa1..000000000
--- a/src/middleware/cors.js
+++ /dev/null
@@ -1,54 +0,0 @@
-/* jshint node:true */
-
-import url from 'node:url';
-
-/*
- * CORS middleware
- *
- * options can contains a list of origins
- */
-export default function cors(options) {
-    options = options || { };
-    const maxAge = options.maxAge || 60 * 60 * 25 * 5; // 5 days
-    const origins = options.origins || [ '*' ];
-    const allowCredentials = options.allowCredentials || false; // cookies
-
-    return function (req, res, next) {
-        let requestOrigin = req.headers.origin;
-        if (!requestOrigin) return next();
-
-        requestOrigin = url.parse(requestOrigin);
-        if (!requestOrigin.host) return res.status(405).send('CORS not allowed from this domain');
-
-        const hostname = requestOrigin.host.split(':')[0]; // remove any port
-        const originAllowed = origins.some(function (o) { return o === '*' || o === hostname; });
-        if (!originAllowed) {
-            return res.status(405).send('CORS not allowed from this domain');
-        }
-
-        // respond back with req.headers.origin which might contain the scheme
-        res.header('Access-Control-Allow-Origin', req.headers.origin);
-        res.header('Access-Control-Allow-Credentials', allowCredentials);
-
-        // handle preflighted requests
-        if (req.method === 'OPTIONS') {
-            if (req.headers['access-control-request-method']) {
-                res.header('Access-Control-Allow-Methods', 'GET, PUT, DELETE, POST, OPTIONS');
-            }
-
-            if (req.headers['access-control-request-headers']) {
-                res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
-            }
-
-            res.header('Access-Control-Max-Age', maxAge);
-
-            return res.status(200).send();
-        }
-
-        if (req.headers['access-control-request-headers']) {
-            res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
-        }
-
-        next();
-    };
-};
diff --git a/src/middleware/index.js b/src/middleware/index.js
index 8ad033ff0..00f9e2fca 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -1,5 +1,4 @@
 import cookieParser from 'cookie-parser';
-import cors from './cors.js';
 import json from './json.js';
 import lastMile from '@cloudron/connect-lastmile';
 import multipart from './multipart.js';
@@ -7,7 +6,6 @@ import timeout from 'connect-timeout';
 
 export default {
     cookieParser,
-    cors,
     json,
     lastMile,
     multipart,
diff --git a/src/server.js b/src/server.js
index 60986db26..ddd347a5c 100644
--- a/src/server.js
+++ b/src/server.js
@@ -59,7 +59,6 @@ async function initializeExpressSync() {
         // the timeout middleware will respond with a 503. the request itself cannot be 'aborted' and will continue
         // search for req.clearTimeout in route handlers to see places where this timeout is reset
         .use(middleware.timeout(REQUEST_TIMEOUT, { respond: true }))
-        .use(middleware.cors({ origins: [ '*' ], allowCredentials: false }))
         .use((req, res , next) => {
             // we store our route resources, like app,volumes,... in req.resources. Those are added in the load() routes
             req.resources = {};