diff --git a/main.go b/main.go
index a01d371..0212369 100644
--- a/main.go
+++ b/main.go
@@ -55,10 +55,6 @@ func corsMiddleware(handler http.Handler) http.Handler {
 				return
 			}
 		}
-		if r.Method == http.MethodOptions {
-			w.WriteHeader(http.StatusOK)
-			return
-		}
 		handler.ServeHTTP(w, r)
 	})
 }
diff --git a/microservices/dashboard/dashboard.go b/microservices/dashboard/dashboard.go
index 385e258..264cfe6 100644
--- a/microservices/dashboard/dashboard.go
+++ b/microservices/dashboard/dashboard.go
@@ -17,6 +17,18 @@ func NewDashboard(tracker *tracker.Tracker) *Dashboard {
 }
 
 func (d *Dashboard) HandleDashboard(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		return
+	}
+
+	if r.Method == http.MethodOptions {
+		w.Header().Del("Access-Control-Allow-Methods")
+		w.Header().Set("Access-Control-Allow-Methods", "GET")
+		w.WriteHeader(http.StatusOK)
+		return
+	}
+
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	w.Header().Set("Refresh", "5")
 	clients := d.tracker.GetServers()
diff --git a/microservices/homepage/homepage.go b/microservices/homepage/homepage.go
index 5e1b61d..e677a79 100644
--- a/microservices/homepage/homepage.go
+++ b/microservices/homepage/homepage.go
@@ -17,6 +17,18 @@ func NewHomepage() *Homepage {
 }
 
 func (h *Homepage) HandleHomepage(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		return
+	}
+
+	if r.Method == http.MethodOptions {
+		w.Header().Del("Access-Control-Allow-Methods")
+		w.Header().Set("Access-Control-Allow-Methods", "GET")
+		w.WriteHeader(http.StatusOK)
+		return
+	}
+
 	homepageTempl().Render(r.Context(), w)
 }
 
diff --git a/microservices/webdavservice/webdav.go b/microservices/webdavservice/webdav.go
index cd4c756..fbb055f 100644
--- a/microservices/webdavservice/webdav.go
+++ b/microservices/webdavservice/webdav.go
@@ -19,16 +19,18 @@ type WebDavService struct {
 }
 
 func (s *WebDavService) RegisterGinHandlers(router *gin.Engine) {
-	h := &webdav.Handler{
-		Prefix:     "/dav",
-		FileSystem: s.fs,
-		LockSystem: webdav.NewMemLS(),
-		Logger: func(r *http.Request, err error) {
-			if err != nil {
-				log.Printf("webdav: %s %s: %v", r.Method, r.URL.Path, err)
-			} else {
-				log.Printf("webdav: %s %s", r.Method, r.URL.Path)
-			}
+	h := corsWebdavMethodFixerWrapper{
+		W: &webdav.Handler{
+			Prefix:     "/dav",
+			FileSystem: s.fs,
+			LockSystem: webdav.NewMemLS(),
+			Logger: func(r *http.Request, err error) {
+				if err != nil {
+					log.Printf("webdav: %s %s: %v", r.Method, r.URL.Path, err)
+				} else {
+					log.Printf("webdav: %s %s", r.Method, r.URL.Path)
+				}
+			},
 		},
 	}
 
@@ -40,3 +42,16 @@ func (s *WebDavService) RegisterGinHandlers(router *gin.Engine) {
 		router.Handle(method, "/dav/*filepath", gin.WrapH(h))
 	}
 }
+
+type corsWebdavMethodFixerWrapper struct {
+	W *webdav.Handler
+}
+
+// ServeHTTP implements [http.Handler].
+func (c corsWebdavMethodFixerWrapper) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	w.Header().Del("Access-Control-Allow-Methods")
+	w.Header().Set("Access-Control-Allow-Methods", "COPY, DELETE, GET, HEAD, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, TRACE, UNLOCK")
+	c.W.ServeHTTP(w, r)
+}
+
+var _ http.Handler = corsWebdavMethodFixerWrapper{}