diff --git a/vendor/docker/webapp.conf b/vendor/docker/webapp.conf
index 2b9ddfcfc..694a11f84 100644
--- a/vendor/docker/webapp.conf
+++ b/vendor/docker/webapp.conf
@@ -11,34 +11,36 @@ server {
 
     error_log stderr;
 
-    # enable CORS
-    set $cors '';
-    if ($http_origin ~* 'https?://(localhost:3000|localhost:4200|doi.stage.datacite.org|commons.stage.datacite.org|doi.datacite.org|commons.datacite.org)') {
-        set $cors 'true';
-    }
+    location / {  
+        # enable CORS
+        set $cors '';
+        if ($http_origin ~* 'https?://(localhost:3000|localhost:4200|doi.stage.datacite.org|commons.stage.datacite.org|doi.datacite.org|commons.datacite.org)') {
+            set $cors 'true';
+        }
 
-    # always is required to add headers even if response's status is 4xx or 5xx
-    if ($cors = 'true') {
-        add_header 'Access-Control-Allow-Origin' "$http_origin" always;
-        add_header 'Access-Control-Allow-Credentials' 'true' always;
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS' always;
-        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With' always;
-        # required to be able to read Authorization header in frontend
-        add_header 'Access-Control-Expose-Headers' 'Authorization' always;
-    }
+        # always is required to add headers even if response's status is 4xx or 5xx
+        if ($cors = 'true') {
+            add_header 'Access-Control-Allow-Origin' "$http_origin" always;
+            add_header 'Access-Control-Allow-Credentials' 'true' always;
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS' always;
+            add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With' always;
+            # required to be able to read Authorization header in frontend
+            add_header 'Access-Control-Expose-Headers' 'Authorization' always;
+        }
 
-    # 2 if are required, nginx treats each if block as a different context
-    if ($request_method = 'OPTIONS') {
-        add_header 'Access-Control-Allow-Origin' "$http_origin";
-        add_header 'Access-Control-Allow-Credentials' 'true';
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
-        add_header 'Access-Control-Max-Age' 1728000;
-        add_header 'Content-Type' 'text/plain charset=UTF-8';
-        add_header 'Content-Length' 0;
-        return 204;
+        # 2 if are required, nginx treats each if block as a different context
+        if ($request_method = 'OPTIONS') {
+            add_header 'Access-Control-Allow-Origin' "$http_origin";
+            add_header 'Access-Control-Allow-Credentials' 'true';
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS';
+            add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
+            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Content-Type' 'text/plain charset=UTF-8';
+            add_header 'Content-Length' 0;
+            return 204;
+        }
     }
-
+    
     location = / {  
         return 301 https://support.datacite.org/docs/api;
     }