diff --git a/app/Http/Middleware/CorsMiddleware.php b/app/Http/Middleware/CorsMiddleware.php
index 068bbcb..6f6a18e 100644
--- a/app/Http/Middleware/CorsMiddleware.php
+++ b/app/Http/Middleware/CorsMiddleware.php
@@ -10,15 +10,21 @@ class CorsMiddleware
 {
     public function handle(Request $request, Closure $next): Response
     {
+        // OPTIONS 요청은 즉시 처리 (미들웨어 체인 진행 안 함)
+        if ($request->isMethod('OPTIONS')) {
+            return response()->json([], 200, [
+                'Access-Control-Allow-Origin' => '*',
+                'Access-Control-Allow-Methods' => 'GET, POST, PUT, DELETE, OPTIONS, PATCH',
+                'Access-Control-Allow-Headers' => 'Content-Type, Authorization, X-API-KEY',
+                'Access-Control-Max-Age' => '86400',
+            ]);
+        }
+
         $response = $next($request);
 
         $response->headers->set('Access-Control-Allow-Origin', '*');
-        $response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
-        $response->headers->set('Access-Control-Allow-Headers', 'Content-Type, Authorization');
-
-        if ($request->isMethod('OPTIONS')) {
-            return response()->json([], 200, $response->headers->all());
-        }
+        $response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS, PATCH');
+        $response->headers->set('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-API-KEY');
 
         return $response;
     }