diff --git a/server/api/auth/passkeys/login.post.js b/server/api/auth/passkeys/login.post.js
index 8295077..71b90c1 100644
--- a/server/api/auth/passkeys/login.post.js
+++ b/server/api/auth/passkeys/login.post.js
@@ -19,9 +19,9 @@ function findUserByCredentialId(users, credentialId) {
 
 export default defineEventHandler(async (event) => {
   // CORS-Header für Cross-Device Authentication
-  const origin = getHeader(event, 'origin')
-  if (origin) {
-    setHeader(event, 'Access-Control-Allow-Origin', origin)
+  const requestOrigin = getHeader(event, 'origin')
+  if (requestOrigin) {
+    setHeader(event, 'Access-Control-Allow-Origin', requestOrigin)
     setHeader(event, 'Access-Control-Allow-Credentials', 'true')
     setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS')
     setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization')
diff --git a/server/api/auth/passkeys/register.post.js b/server/api/auth/passkeys/register.post.js
index 4ebc0ee..534b296 100644
--- a/server/api/auth/passkeys/register.post.js
+++ b/server/api/auth/passkeys/register.post.js
@@ -7,9 +7,9 @@ import { writeAuditLog } from '../../../utils/audit-log.js'
 
 export default defineEventHandler(async (event) => {
   // CORS-Header für Cross-Device Authentication
-  const origin = getHeader(event, 'origin')
-  if (origin) {
-    setHeader(event, 'Access-Control-Allow-Origin', origin)
+  const requestOrigin = getHeader(event, 'origin')
+  if (requestOrigin) {
+    setHeader(event, 'Access-Control-Allow-Origin', requestOrigin)
     setHeader(event, 'Access-Control-Allow-Credentials', 'true')
     setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS')
     setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization')