diff --git a/src/main/java/org/example/studylog/config/CorsMvcConfig.java b/src/main/java/org/example/studylog/config/CorsMvcConfig.java
new file mode 100644
index 0000000..316041a
--- /dev/null
+++ b/src/main/java/org/example/studylog/config/CorsMvcConfig.java
@@ -0,0 +1,16 @@
+package org.example.studylog.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+public class CorsMvcConfig implements WebMvcConfigurer {
+
+    @Override
+    public void addCorsMappings(CorsRegistry corsRegistry) {
+        corsRegistry.addMapping("/**")
+                .exposedHeaders("Set-Cookie")
+                .allowedOrigins("http://localhost:5173");
+    }
+}
diff --git a/src/main/java/org/example/studylog/config/SecurityConfig.java b/src/main/java/org/example/studylog/config/SecurityConfig.java
index 5ff8cba..8cb158e 100644
--- a/src/main/java/org/example/studylog/config/SecurityConfig.java
+++ b/src/main/java/org/example/studylog/config/SecurityConfig.java
@@ -1,5 +1,6 @@
 package org.example.studylog.config;
 
+import jakarta.servlet.http.HttpServletRequest;
 import org.example.studylog.jwt.JWTFilter;
 import org.example.studylog.jwt.JWTUtil;
 import org.example.studylog.oauth2.CustomFailureHandler;
@@ -14,6 +15,11 @@
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+
+import java.util.Arrays;
+import java.util.Collections;
 
 
 @Configuration
@@ -37,6 +43,29 @@ public SecurityConfig(CustomOAuth2UserService customOAuth2UserService, CustomSuc
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception{
 
+        // cors 설정
+        http
+                .cors(corsCustomizer -> corsCustomizer.configurationSource(new CorsConfigurationSource() {
+
+                    @Override
+                    public CorsConfiguration getCorsConfiguration(HttpServletRequest request) {
+
+                        CorsConfiguration configuration = new CorsConfiguration();
+
+                        configuration.setAllowedOrigins(Collections.singletonList("http://localhost:5173"));
+                        configuration.setAllowedMethods(Collections.singletonList("*"));
+                        configuration.setAllowCredentials(true);
+                        configuration.setAllowedHeaders(Collections.singletonList("*"));
+                        configuration.setMaxAge(3600L);
+
+//                        configuration.setExposedHeaders(Collections.singletonList("Set-Cookie"));
+//                        configuration.setExposedHeaders(Collections.singletonList("Authorization"));
+                        configuration.setExposedHeaders(Arrays.asList("Set-Cookie", "Authorization"));
+
+                        return configuration;
+                    }
+                }));
+
         // csrf disable
         http
                 .csrf((auth) -> auth.disable());