diff --git a/src/server/cors.ts b/src/server/cors.ts
index 2846563..fb18c6e 100644
--- a/src/server/cors.ts
+++ b/src/server/cors.ts
@@ -22,6 +22,10 @@ export function applyCorsHeaders(response: NextResponse, origin: string | null,
   response.headers.set("Access-Control-Allow-Origin", resolvedOrigin)
   response.headers.set("Access-Control-Allow-Methods", methods)
   response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+  // Permite envio/recebimento de cookies em requisições cross-origin (ex.: WebView -> domínio HTTPS)
+  if (resolvedOrigin !== "*") {
+    response.headers.set("Access-Control-Allow-Credentials", "true")
+  }
   response.headers.set("Access-Control-Max-Age", "86400")
   response.headers.set("Vary", "Origin")
   return response