diff --git a/api/src/lib/cors.ts b/api/src/lib/cors.ts
index 8e9ba5d..4313a22 100755
--- a/api/src/lib/cors.ts
+++ b/api/src/lib/cors.ts
@@ -2,10 +2,17 @@ import type { FastifyReply } from 'fastify'
 
 import { isProduction } from '@redwoodjs/api/logger'
 
-export const setCorsHeaders = (res: FastifyReply) => {
+export const setCorsHeaders = (
+  res: FastifyReply,
+  isPublic: boolean = false
+) => {
   res.raw.setHeader(
     'Access-Control-Allow-Origin',
-    isProduction ? process.env.ADDRESS_PROD : process.env.ADDRESS_DEV
+    isPublic
+      ? '*'
+      : isProduction
+        ? process.env.ADDRESS_PROD
+        : process.env.ADDRESS_DEV
   )
   res.raw.setHeader(
     'Access-Control-Allow-Methods',
@@ -16,4 +23,9 @@ export const setCorsHeaders = (res: FastifyReply) => {
     'Origin, X-Requested-With, Content-Type, Accept, Authorization, Tus-Resumable, Upload-Length, Upload-Metadata, Upload-Offset'
   )
   res.raw.setHeader('Access-Control-Allow-Credentials', 'true')
+  res.raw.setHeader(
+    'Access-Control-Expose-Headers',
+    'Upload-Offset, Upload-Length, Upload-Metadata, Tus-Version,' +
+      'Tus-Resumable, Tus-Max-Size, Tus-Extension, Tus-Checksum-Algorithm'
+  )
 }
diff --git a/api/src/lib/tus.ts b/api/src/lib/tus.ts
index 08de07e..169bc39 100755
--- a/api/src/lib/tus.ts
+++ b/api/src/lib/tus.ts
@@ -26,6 +26,11 @@ export const handleTusUpload = (
   isPublicEndpoint: boolean
 ) => {
   res.hijack()
+
+  if (req.method === 'GET' && isPublicEndpoint) {
+    setCorsHeaders(res)
+  }
+
   if (isProduction) {
     if (req.method === 'OPTIONS') handleOptionsRequest(res)
     else if (isPublicEndpoint && req.method === 'GET')
@@ -41,7 +46,7 @@ export const handleTusUpload = (
       res.raw.end('Method not allowed')
     }
   } else {
-    setCorsHeaders(res)
+    setCorsHeaders(res, isPublicEndpoint)
     void tusHandler.handle(req.raw, res.raw)
   }
 }