diff --git a/media-store/xs-security.json b/media-store/deployers/xs-security.json
similarity index 100%
rename from media-store/xs-security.json
rename to media-store/deployers/xs-security.json
diff --git a/media-store/mta.yaml b/media-store/mta.yaml
index a18ab5f1..f9c60734 100644
--- a/media-store/mta.yaml
+++ b/media-store/mta.yaml
@@ -121,7 +121,7 @@ resources:
   - name: media-store-xsuaa
     # ------------------------------------------------------------
     parameters:
-      path: ./xs-security.json
+      path: deployers/xs-security.json
       service-plan: application
       service: xsuaa
     type: org.cloudfoundry.managed-service
diff --git a/media-store/server.js b/media-store/server.js
index f8ad1798..7e0fb2c9 100644
--- a/media-store/server.js
+++ b/media-store/server.js
@@ -2,31 +2,13 @@ const cds = require("@sap/cds");
 const {
   getDurationInMilliseconds,
   getFormattedDateTime,
+  corsMiddleware,
 } = require("./util/helpers");
 
 // handle bootstrapping events...
 cds.on("bootstrap", (app) => {
   if (cds.env.env === "development") {
-    app.use((req, res, next) => {
-      res.header("Access-Control-Allow-Origin", "*");
-      res.header(
-        "Access-Control-Allow-Methods",
-        "GET, PUT, PATCH, POST, DELETE, OPTIONS"
-      );
-      res.header(
-        "Access-Control-Allow-Headers",
-        "Origin, X-Requested-With, Content-Type, Accept, Authorization, Accept-Language"
-      );
-
-      //intercepts OPTIONS method
-      if ("OPTIONS" === req.method) {
-        //respond with 200
-        res.sendStatus(200);
-      } else {
-        //move on
-        next();
-      }
-    });
+    app.use(corsMiddleware);
   }
 });
 cds.on("served", async ({ db, messaging, ...servedServices }) => {
diff --git a/media-store/util/helpers.js b/media-store/util/helpers.js
index 2587f977..3fe1a8a1 100644
--- a/media-store/util/helpers.js
+++ b/media-store/util/helpers.js
@@ -22,7 +22,29 @@ const getFormattedDateTime = () => {
   return formattedDateTime;
 };
 
+const corsMiddleware = (req, res, next) => {
+  res.header("Access-Control-Allow-Origin", "*");
+  res.header(
+    "Access-Control-Allow-Methods",
+    "GET, PUT, PATCH, POST, DELETE, OPTIONS"
+  );
+  res.header(
+    "Access-Control-Allow-Headers",
+    "Origin, X-Requested-With, Content-Type, Accept, Authorization, Accept-Language"
+  );
+
+  //intercepts OPTIONS method
+  if ("OPTIONS" === req.method) {
+    //respond with 200
+    res.sendStatus(200);
+  } else {
+    //move on
+    next();
+  }
+};
+
 module.exports = {
   getFormattedDateTime,
   getDurationInMilliseconds,
+  corsMiddleware,
 };