diff --git a/app.py b/app.py
index a9b65019787fe4caefef2ab0449d44a29232eefb..778fa6afcf0154d20915bbf45e5809ba1baa1c74 100644
--- a/app.py
+++ b/app.py
@@ -5,25 +5,38 @@ import json
 import os
 
 import docker
-from flask import Flask, request
+from flask import Flask, Response, request
 
 app = Flask(__name__)
+app.config["MAX_CONTENT_LENGTH"] = 128
 client = docker.from_env()
 
 
-NAME = os.getenv("NC_NAME", "Nimrod Adar")
+ALLOWED_ORIGIN = os.getent("ALLOWED_ORIGIN", "https://www.shore.co.il")
 CONTAINER_NAME = os.getenv("NC_CONTAINER", "nextcloud-nextcloud-1")
+NAME = os.getenv("NC_NAME", "Nimrod Adar")
+
+HEADERS = {
+    "Access-Control-Allow-Credentials": False,
+    "Access-Control-Allow-Methods": "GET,POST",
+    "Access-Control-Allow-Origin": ALLOWED_ORIGIN,
+    "Cache-Control": "no-cache, no-store, max-age=0",
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+}
 
 
 @app.route("/ping")
 def ping():
     """Healthcheck."""
-    return "pong"
+    return Response("pong", mimetype="text/plain")
 
 
 @app.route("/send", methods=["GET", "POST"])
 def send_message():  # noqa: MC0001
     """Send a notification."""
+    if request.method == "OPTIONS":  # A CORS pre-flight request.
+        return Response(headers=HEADERS)
     if request.method == "POST":
         # Needs to be called before accessing other request parameters,
         # otherwise it will be empty.
@@ -69,4 +82,4 @@ def send_message():  # noqa: MC0001
     if result.exit_code != 0:
         raise RuntimeError(result.output.decode())
 
-    return message
+    return Response(message, mimetype="text/plain", headers=HEADERS)