diff --git a/src/aleph/vm/orchestrator/resources.py b/src/aleph/vm/orchestrator/resources.py
index 6c042f056..a40c6ff13 100644
--- a/src/aleph/vm/orchestrator/resources.py
+++ b/src/aleph/vm/orchestrator/resources.py
@@ -11,6 +11,7 @@
 from pydantic import BaseModel, Field
 
 from aleph.vm.conf import settings
+from aleph.vm.utils import cors_allow_all
 
 
 class Period(BaseModel):
@@ -92,6 +93,7 @@ def get_machine_properties() -> MachineProperties:
     )
 
 
+@cors_allow_all
 async def about_system_usage(_: web.Request):
     """Public endpoint to expose information about the system usage."""
     period_start = datetime.now(timezone.utc).replace(second=0, microsecond=0)
@@ -116,7 +118,7 @@ async def about_system_usage(_: web.Request):
         ),
         properties=get_machine_properties(),
     )
-    return web.json_response(text=usage.json(exclude_none=True), headers={"Access-Control-Allow-Origin:": "*"})
+    return web.json_response(text=usage.json(exclude_none=True))
 
 
 class Allocation(BaseModel):
diff --git a/src/aleph/vm/orchestrator/supervisor.py b/src/aleph/vm/orchestrator/supervisor.py
index 9b2c3c1c1..4846104ae 100644
--- a/src/aleph/vm/orchestrator/supervisor.py
+++ b/src/aleph/vm/orchestrator/supervisor.py
@@ -69,19 +69,6 @@ async def server_version_middleware(
     return resp
 
 
-async def allow_cors_on_endpoint(request: web.Request):
-    """Allow CORS on endpoints that VM owners use to control their machine."""
-    return web.Response(
-        status=200,
-        headers={
-            "Access-Control-Allow-Headers": "*",
-            "Access-Control-Allow-Methods": "*",
-            "Access-Control-Allow-Origin": "*",
-            "Allow": "POST",
-        },
-    )
-
-
 async def http_not_found(request: web.Request):
     """Return a 404 error for unknown URLs."""
     return web.HTTPNotFound()
diff --git a/src/aleph/vm/orchestrator/views/__init__.py b/src/aleph/vm/orchestrator/views/__init__.py
index 7c1fd370e..994476cba 100644
--- a/src/aleph/vm/orchestrator/views/__init__.py
+++ b/src/aleph/vm/orchestrator/views/__init__.py
@@ -214,13 +214,9 @@ async def status_check_fastapi(request: web.Request, vm_id: Optional[ItemHash] =
                     # "ipv6": await status.check_ipv6(session),
                 }
 
-            return web.json_response(
-                result, status=200 if all(result.values()) else 503, headers={"Access-Control-Allow-Origin": "*"}
-            )
+            return web.json_response(result, status=200 if all(result.values()) else 503)
     except aiohttp.ServerDisconnectedError as error:
-        return web.json_response(
-            {"error": f"Server disconnected: {error}"}, status=503, headers={"Access-Control-Allow-Origin": "*"}
-        )
+        return web.json_response({"error": f"Server disconnected: {error}"}, status=503)
 
 
 @cors_allow_all
@@ -246,7 +242,7 @@ async def status_check_host(request: web.Request):
         },
     }
     result_status = 200 if all(result["ipv4"].values()) and all(result["ipv6"].values()) else 503
-    return web.json_response(result, status=result_status, headers={"Access-Control-Allow-Origin": "*"})
+    return web.json_response(result, status=result_status)
 
 
 @cors_allow_all
@@ -260,7 +256,7 @@ async def status_check_ipv6(request: web.Request):
             vm_ipv6 = False
 
     result = {"host": await check_host_egress_ipv6(), "vm": vm_ipv6}
-    return web.json_response(result, headers={"Access-Control-Allow-Origin": "*"})
+    return web.json_response(result)
 
 
 @cors_allow_all
@@ -283,7 +279,6 @@ async def status_check_version(request: web.Request):
         return web.Response(
             status=200,
             text=f"Up-to-date: version {current} >= {reference}",
-            headers={"Access-Control-Allow-Origin": "*"},
         )
     else:
         return web.HTTPForbidden(text=f"Outdated: version {current} < {reference}")
@@ -327,7 +322,6 @@ async def status_public_config(request: web.Request):
             },
         },
         dumps=dumps_for_json,
-        headers={"Access-Control-Allow-Origin": "*"},
     )
 
 
@@ -436,9 +430,7 @@ async def notify_allocation(request: web.Request):
     except JSONDecodeError:
         return web.HTTPBadRequest(reason="Body is not valid JSON")
     except ValidationError as error:
-        return web.json_response(
-            data=error.json(), status=web.HTTPBadRequest.status_code, headers={"Access-Control-Allow-Origin": "*"}
-        )
+        return web.json_response(data=error.json(), status=web.HTTPBadRequest.status_code)
 
     pubsub: PubSub = request.app["pubsub"]
     pool: VmPool = request.app["vm_pool"]
diff --git a/src/aleph/vm/orchestrator/views/authentication.py b/src/aleph/vm/orchestrator/views/authentication.py
index 84dd96982..d38587015 100644
--- a/src/aleph/vm/orchestrator/views/authentication.py
+++ b/src/aleph/vm/orchestrator/views/authentication.py
@@ -227,8 +227,6 @@ async def wrapper(request):
             return web.json_response(data={"error": e.reason}, status=e.status)
 
         response = await handler(request, authenticated_sender)
-        # Allow browser clients to access the body of the response
-        response.headers.update({"Access-Control-Allow-Origin": request.headers.get("Origin", "")})
         return response
 
     return wrapper