diff --git a/blossom/server.go b/blossom/server.go
index 653756f..ed3404d 100644
--- a/blossom/server.go
+++ b/blossom/server.go
@@ -33,41 +33,29 @@ func New(rl *khatru.Relay, serviceURL string) *BlossomServer {
 	mux := http.NewServeMux()
 
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "OPTIONS" {
-			setCors(w)
-			w.WriteHeader(http.StatusNoContent)
-			return
-		}
-
 		if r.URL.Path == "/upload" {
 			if r.Method == "PUT" {
-				setCors(w)
 				bs.handleUpload(w, r)
 				return
 			} else if r.Method == "HEAD" {
-				setCors(w)
 				bs.handleUploadCheck(w, r)
 				return
 			}
 		}
 
 		if strings.HasPrefix(r.URL.Path, "/list/") && r.Method == "GET" {
-			setCors(w)
 			bs.handleList(w, r)
 			return
 		}
 
 		if len(strings.SplitN(r.URL.Path, ".", 2)[0]) == 65 {
 			if r.Method == "HEAD" {
-				setCors(w)
 				bs.handleHasBlob(w, r)
 				return
 			} else if r.Method == "GET" {
-				setCors(w)
 				bs.handleGetBlob(w, r)
 				return
 			} else if r.Method == "DELETE" {
-				setCors(w)
 				bs.handleDelete(w, r)
 				return
 			}
diff --git a/blossom/utils.go b/blossom/utils.go
index 5af0d0d..47d8ee5 100644
--- a/blossom/utils.go
+++ b/blossom/utils.go
@@ -5,12 +5,6 @@ import (
 	"net/http"
 )
 
-func setCors(w http.ResponseWriter) {
-	w.Header().Set("Access-Control-Allow-Origin", "*")
-	w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
-	w.Header().Set("Access-Control-Allow-Methods", "GET, PUT, DELETE, OPTIONS")
-}
-
 func blossomError(w http.ResponseWriter, msg string, code int) {
 	w.Header().Add("X-Reason", msg)
 	w.WriteHeader(code)
diff --git a/examples/blossom/main.go b/examples/blossom/main.go
index d7c8e55..01c1c0e 100644
--- a/examples/blossom/main.go
+++ b/examples/blossom/main.go
@@ -3,7 +3,9 @@ package main
 import (
 	"context"
 	"fmt"
+	"io"
 	"net/http"
+	"strings"
 
 	"github.com/fiatjaf/eventstore/badger"
 	"github.com/fiatjaf/khatru"
@@ -29,9 +31,10 @@ func main() {
 		fmt.Println("storing", sha256, len(body))
 		return nil
 	})
-	bl.LoadBlob = append(bl.LoadBlob, func(ctx context.Context, sha256 string) ([]byte, error) {
+	bl.LoadBlob = append(bl.LoadBlob, func(ctx context.Context, sha256 string) (io.Reader, error) {
 		fmt.Println("loading", sha256)
-		return []byte("aaaaa"), nil
+		blob := strings.NewReader("aaaaa")
+		return blob, nil
 	})
 
 	fmt.Println("running on :3334")
diff --git a/go.mod b/go.mod
index 1c65610..8614bdf 100644
--- a/go.mod
+++ b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/liamg/magic v0.0.1
 	github.com/nbd-wtf/go-nostr v0.42.0
 	github.com/puzpuzpuz/xsync/v3 v3.4.0
-	github.com/rs/cors v1.7.0
+	github.com/rs/cors v1.11.1
 	github.com/stretchr/testify v1.9.0
 )
 
diff --git a/go.sum b/go.sum
index b8f1014..ad13a24 100644
--- a/go.sum
+++ b/go.sum
@@ -134,6 +134,8 @@ github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/cors v1.7.0 h1:+88SsELBHx5r+hZ8TCkggzSstaWNbDvThkVK8H6f9ik=
 github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
+github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
+github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/savsgio/gotils v0.0.0-20230208104028-c358bd845dee h1:8Iv5m6xEo1NR1AvpV+7XmhI4r39LGNzwUL4YpMuL5vk=
 github.com/savsgio/gotils v0.0.0-20230208104028-c358bd845dee/go.mod h1:qwtSXrKuJh/zsFQ12yEE89xfCrGKK63Rr7ctU/uCo4g=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 h1:qLC7fQah7D6K1B0ujays3HV9gkFtllcxhzImRR7ArPQ=
diff --git a/handlers.go b/handlers.go
index 914f74a..aaf3d03 100644
--- a/handlers.go
+++ b/handlers.go
@@ -26,14 +26,28 @@ func (rl *Relay) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		rl.ServiceURL = getServiceBaseURL(r)
 	}
 
+	corsMiddleware := cors.New(cors.Options{
+		AllowedOrigins: []string{"*"},
+		AllowedMethods: []string{
+			http.MethodHead,
+			http.MethodGet,
+			http.MethodPost,
+			http.MethodPut,
+			http.MethodPatch,
+			http.MethodDelete,
+		},
+		AllowedHeaders: []string{"Authorization", "*"},
+		MaxAge:         86400,
+	})
+
 	if r.Header.Get("Upgrade") == "websocket" {
 		rl.HandleWebsocket(w, r)
 	} else if r.Header.Get("Accept") == "application/nostr+json" {
-		cors.AllowAll().Handler(http.HandlerFunc(rl.HandleNIP11)).ServeHTTP(w, r)
+		corsMiddleware.Handler(http.HandlerFunc(rl.HandleNIP11)).ServeHTTP(w, r)
 	} else if r.Header.Get("Content-Type") == "application/nostr+json+rpc" {
-		cors.AllowAll().Handler(http.HandlerFunc(rl.HandleNIP86)).ServeHTTP(w, r)
+		corsMiddleware.Handler(http.HandlerFunc(rl.HandleNIP86)).ServeHTTP(w, r)
 	} else {
-		rl.serveMux.ServeHTTP(w, r)
+		corsMiddleware.Handler(rl.serveMux).ServeHTTP(w, r)
 	}
 }
 
diff --git a/policies/events.go b/policies/events.go
index f084a2c..a21e21d 100644
--- a/policies/events.go
+++ b/policies/events.go
@@ -72,7 +72,7 @@ func RestrictToSpecifiedKinds(allowEphemeral bool, kinds ...uint16) func(context
 	slices.Sort(kinds)
 
 	return func(ctx context.Context, event *nostr.Event) (reject bool, msg string) {
-		if allowEphemeral && event.IsEphemeral() {
+		if allowEphemeral && nostr.IsEphemeralKind(event.Kind) {
 			return false, ""
 		}