diff --git a/DEPLOY_CORS.md b/DEPLOY_CORS.md
index c4f6d26..604522e 100644
--- a/DEPLOY_CORS.md
+++ b/DEPLOY_CORS.md
@@ -33,14 +33,29 @@ CORS_ALLOWED_ORIGINS=https://app.example.com,https://dashboard.example.com
 ```
 
 ```bash
-# 5. Restart PHP-FPM (via aaPanel atau command)
+# 5. Restart PHP-FPM (PENTING! Harus di-restart setelah perubahan code)
 # Via aaPanel: Website -> PHP -> Service Management -> Reload
-# Atau:
-systemctl reload php-fpm-83  # Sesuaikan dengan PHP version
+# Atau via command (sesuaikan dengan PHP version):
+systemctl reload php-fpm-83  # Untuk PHP 8.3
+# systemctl reload php-fpm-82  # Untuk PHP 8.2
+
+# 6. (Opsional) Clear PHP Opcache jika masih ada masalah
+# Via aaPanel: Website -> PHP -> Opcache -> Clear Cache
+# Atau via command:
+php -r "opcache_reset();"
 ```
 
 ## ✅ Verifikasi CORS Aktif
 
+### Test 0: Test CORS Middleware Secara Langsung (Recommended)
+
+```bash
+# Jalankan script test di server
+php bin/test_cors.php
+```
+
+Script ini akan test CORS middleware secara langsung dan menunjukkan apakah headers sudah muncul.
+
 ### Test 1: Cek Response Headers
 
 ```bash
diff --git a/bin/test_cors.php b/bin/test_cors.php
new file mode 100644
index 0000000..dba3496
--- /dev/null
+++ b/bin/test_cors.php
@@ -0,0 +1,115 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Script untuk test CORS middleware secara langsung
+ * Usage: php bin/test_cors.php
+ */
+
+require __DIR__ . '/../vendor/autoload.php';
+
+use App\Config\AppConfig;
+use App\Middleware\CorsMiddleware;
+use Slim\Psr7\Factory\ServerRequestFactory;
+use Slim\Psr7\Factory\ResponseFactory;
+
+// Load environment
+AppConfig::loadEnv(__DIR__ . '/..');
+
+echo "=== CORS Middleware Test ===\n\n";
+
+// Create test request with origin header
+$requestFactory = new ServerRequestFactory();
+$responseFactory = new ResponseFactory();
+
+// Test 1: Origin yang ada di .env
+echo "Test 1: Origin 'http://localhost/retribusi' (ada di .env):\n";
+$request1 = $requestFactory->createServerRequest('GET', '/health')
+    ->withHeader('Origin', 'http://localhost/retribusi');
+
+$response1 = $responseFactory->createResponse(200);
+$response1->getBody()->write(json_encode(['status' => 'ok']));
+
+$middleware = new CorsMiddleware();
+$handler = new class($response1) implements \Psr\Http\Server\RequestHandlerInterface {
+    private $response;
+    public function __construct($response) {
+        $this->response = $response;
+    }
+    public function handle(\Psr\Http\Message\ServerRequestInterface $request): \Psr\Http\Message\ResponseInterface {
+        return $this->response;
+    }
+};
+
+$result1 = $middleware->process($request1, $handler);
+
+echo "   Response headers:\n";
+foreach ($result1->getHeaders() as $name => $values) {
+    if (str_starts_with(strtolower($name), 'access-control-')) {
+        echo "   - $name: " . implode(', ', $values) . "\n";
+    }
+}
+
+// Test 2: Origin yang tidak ada di .env
+echo "\nTest 2: Origin 'http://example.com' (tidak ada di .env):\n";
+$request2 = $requestFactory->createServerRequest('GET', '/health')
+    ->withHeader('Origin', 'http://example.com');
+
+$response2 = $responseFactory->createResponse(200);
+$handler2 = new class($response2) implements \Psr\Http\Server\RequestHandlerInterface {
+    private $response;
+    public function __construct($response) {
+        $this->response = $response;
+    }
+    public function handle(\Psr\Http\Message\ServerRequestInterface $request): \Psr\Http\Message\ResponseInterface {
+        return $this->response;
+    }
+};
+
+$result2 = $middleware->process($request2, $handler2);
+
+echo "   Response headers:\n";
+$hasCorsHeaders = false;
+foreach ($result2->getHeaders() as $name => $values) {
+    if (str_starts_with(strtolower($name), 'access-control-')) {
+        $hasCorsHeaders = true;
+        echo "   - $name: " . implode(', ', $values) . "\n";
+    }
+}
+if (!$hasCorsHeaders) {
+    echo "   ⚠️  No CORS headers found (expected if origin not allowed)\n";
+}
+
+// Test 3: OPTIONS request (preflight)
+echo "\nTest 3: OPTIONS request (preflight):\n";
+$request3 = $requestFactory->createServerRequest('OPTIONS', '/health')
+    ->withHeader('Origin', 'http://localhost/retribusi');
+
+$response3 = $responseFactory->createResponse(200);
+$handler3 = new class($response3) implements \Psr\Http\Server\RequestHandlerInterface {
+    private $response;
+    public function __construct($response) {
+        $this->response = $response;
+    }
+    public function handle(\Psr\Http\Message\ServerRequestInterface $request): \Psr\Http\Message\ResponseInterface {
+        return $this->response;
+    }
+};
+
+$result3 = $middleware->process($request3, $handler3);
+
+echo "   Status code: " . $result3->getStatusCode() . "\n";
+echo "   Response headers:\n";
+foreach ($result3->getHeaders() as $name => $values) {
+    if (str_starts_with(strtolower($name), 'access-control-')) {
+        echo "   - $name: " . implode(', ', $values) . "\n";
+    }
+}
+
+echo "\n=== Test Complete ===\n";
+echo "\nJika Test 1 tidak ada CORS headers, kemungkinan:\n";
+echo "1. PHP-FPM belum di-restart setelah perubahan code\n";
+echo "2. Opcache masih cache code lama (clear opcache)\n";
+echo "3. Check error log: tail -f /www/wwwlogs/api.btekno.cloud.error.log\n";
+