diff --git a/src/database.v b/src/database.v
index b61645a..c7ef6d7 100644
--- a/src/database.v
+++ b/src/database.v
@@ -2,7 +2,7 @@ module main
 
 [table: 'Score']
 struct ScoreRes {
-pub mut:
+mut:
 	id     i64    [primary; sql: serial]
 	player string [nonull]
 	score  int    [nonull]
@@ -19,9 +19,9 @@ fn (mut app App) insert_score(score ScoreRes) ScoreRes {
 	sql app.db {
 		insert score into ScoreRes
 	}
-	last_row_id := app.db.last_insert_rowid()
+	last_id := app.db.last_id() as int
 	return sql app.db {
-		select from ScoreRes where id == last_row_id
+		select from ScoreRes where id == last_id
 	}
 }
 
diff --git a/src/main.v b/src/main.v
index 1787694..1960312 100644
--- a/src/main.v
+++ b/src/main.v
@@ -7,10 +7,11 @@ import os
 
 struct App {
 	vweb.Context
-pub mut:
-	db       sqlite.DB
+mut:
 	config   shared Config
 	is_admin bool
+pub mut:
+	db sqlite.DB
 }
 
 fn main() {
diff --git a/src/web.v b/src/web.v
index fece7a5..e2fdb5c 100644
--- a/src/web.v
+++ b/src/web.v
@@ -69,27 +69,6 @@ pub fn (mut app App) score_submit() vweb.Result {
 	return app.json(score)
 }
 
-pub fn (mut app App) add_cors_headers() {
-	origin := app.get_header('origin')
-	mut origins := []string{}
-	rlock app.config {
-		origins = app.config.origins.clone()
-	}
-	default_origin := origins[0] or { '*' }
-	allowed_origin := if origins.any(it == origin) { origin } else { default_origin }
-
-	app.add_header('Access-Control-Allow-Origin', allowed_origin)
-	app.add_header('Access-Control-Allow-Methods', 'OPTIONS, HEAD, GET, POST')
-	app.add_header('Access-Control-Allow-Headers', 'Authorization, Content-Type')
-	app.add_header('Access-Control-Max-Age', '86400')
-}
-
-pub fn (mut app App) handle_cors() vweb.Result {
-	app.set_status(204, '')
-	app.add_cors_headers()
-	return app.ok('')
-}
-
 ['/api/v1/score/list'; options]
 pub fn (mut app App) handle_score_list_cors() vweb.Result {
 	return app.handle_cors()
@@ -100,6 +79,33 @@ pub fn (mut app App) handle_score_submit_cors() vweb.Result {
 	return app.handle_cors()
 }
 
+fn (mut app App) handle_cors() vweb.Result {
+	app.set_status(204, '')
+	app.add_cors_headers()
+	return app.ok('')
+}
+
+fn (mut app App) add_cors_headers() {
+	origin := app.get_header('origin')
+
+	// Only return headers if actual cross-origin request
+	if origin.len == 0 {
+		return
+	}
+
+	rlock app.config {
+		origins := app.config.origins
+
+		default_origin := origins[0] or { '*' }
+		allowed_origin := if origins.any(it == origin) { origin } else { default_origin }
+
+		app.add_header('Access-Control-Allow-Origin', allowed_origin)
+	}
+	app.add_header('Access-Control-Allow-Methods', 'OPTIONS, HEAD, GET, POST')
+	app.add_header('Access-Control-Allow-Headers', 'Authorization, Content-Type')
+	app.add_header('Access-Control-Max-Age', '86400')
+}
+
 fn (mut app App) auth() bool {
 	auth_header := app.get_header('Authorization')
 	token := auth_header.after('Bearer ')