diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..77deb22
--- /dev/null
+++ b/.envrc
@@ -0,0 +1,2 @@
+PATH_add vendor/bin
+
diff --git a/web/sites/default/default.services.yml b/web/sites/default/default.services.yml
index 9a5193e..8a6cdf2 100644
--- a/web/sites/default/default.services.yml
+++ b/web/sites/default/default.services.yml
@@ -206,11 +206,11 @@ parameters:
   # for more information about the topic in general.
   # Note: By default the configuration is disabled.
   cors.config:
-    enabled: true
+    enabled: false
     # Specify allowed headers, like 'x-allowed-header'.
-    allowedHeaders: ['x-csrf-token','authorization','content-type','accept','origin','x-requested-with','access-control-allow-origin','x-allowed-header','*']
+    allowedHeaders: []
     # Specify allowed request methods, specify ['*'] to allow all possible ones.
-    allowedMethods: ['*']
+    allowedMethods: []
     # Configure requests allowed from specific origins. Do not include trailing
     # slashes with URLs.
     allowedOrigins: ['*']
@@ -219,8 +219,7 @@ parameters:
     # Sets the Access-Control-Max-Age header.
     maxAge: false
     # Sets the Access-Control-Allow-Credentials header.
-    supportsCredentials: true
-    allowCredentials: true
+    supportsCredentials: false
 
   queue.config:
     # The maximum number of seconds to wait if a queue is temporarily suspended.
diff --git a/web/sites/development.services.yml b/web/sites/development.services.yml
index 141a156..d2857c6 100644
--- a/web/sites/development.services.yml
+++ b/web/sites/development.services.yml
@@ -4,21 +4,6 @@
 # 'example.settings.local.php' file, which sits next to this file.
 parameters:
   http.response.debug_cacheability_headers: true
-  cors.config:
-    enabled: true
-    # Specify allowed headers, like 'x-allowed-header'.
-    allowedHeaders: ['x-csrf-token','authorization','content-type','accept','origin','x-requested-with']
-    # Specify allowed request methods, specify ['*'] to allow all possible ones.
-    allowedMethods: ['*']
-    # Configure requests allowed from specific origins. Do not include trailing
-    # slashes with URLs.
-    allowedOrigins: ['*']
-    # Sets the Access-Control-Expose-Headers header.
-    exposedHeaders: false
-    # Sets the Access-Control-Max-Age header.
-    maxAge: false
-    # Sets the Access-Control-Allow-Credentials header.
-    supportsCredentials: false
 services:
   cache.backend.null:
     class: Drupal\Core\Cache\NullBackendFactory