diff --git a/README.md b/README.md
index f41d0d0a..a1b5f52d 100644
--- a/README.md
+++ b/README.md
@@ -132,7 +132,7 @@ Also try for example 'admin@xxx.example.com' or 'unknown@example.org'.
 
 If you want a formatted JSON output, you can pipe the result to `jq` or similar.
 
-And to see the full, currently implemented, API, open http://localhost:8081/actuator/swagger-ui/index.html (uses management-port and thus bypasses authentication).
+And to see the full, currently implemented, API, open http://localhost:8080/swagger-ui/index.html (on same port as the API to avoid CORS problems).
 
 If you still need to install some of these tools, find some hints in the next chapters. 
 
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 60fd285e..28da0a0a 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -17,7 +17,7 @@ management:
                 # HOWTO: view the effective application configuration properties:
                 #   http://localhost:8081/actuator/configprops
 
-                include: info, health, metrics, metric-links, mappings, openapi, swaggerui, configprops, env
+                include: info, health, metrics, metric-links, mappings, openapi, configprops, env
     endpoint:
         env:
             # TODO.spec: check this, maybe set to when_authorized?
@@ -37,6 +37,10 @@ spring:
         url: ${HSADMINNG_POSTGRES_JDBC_URL}
         username: postgres
 
+    data:
+        rest:
+            detection-strategy: annotated
+
     sql:
         init:
             mode: never
@@ -51,7 +55,8 @@ spring:
 
 # keep this in sync with test/.../application.yml
 springdoc:
-    use-management-port: true
+    # SwaggerUI must run on the same port as the API itself, otherwise CORS will block accessing the API
+    use-management-port: false
 
 hsadminng:
     postgres:
diff --git a/src/test/java/net/hostsharing/hsadminng/config/WebSecurityConfigIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/config/WebSecurityConfigIntegrationTest.java
index 3a612b35..063527cd 100644
--- a/src/test/java/net/hostsharing/hsadminng/config/WebSecurityConfigIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/config/WebSecurityConfigIntegrationTest.java
@@ -84,14 +84,14 @@ class WebSecurityConfigIntegrationTest {
     @Test
     public void shouldSupportSwaggerUi() {
         final var result = this.restTemplate.getForEntity(
-                "http://localhost:" + this.managementPort + "/actuator/swagger-ui/index.html", String.class);
+                "http://localhost:" + this.managementPort + "/swagger-ui/index.html", String.class);
         assertThat(result.getStatusCode()).isEqualTo(HttpStatus.OK);
     }
 
     @Test
     public void shouldSupportApiDocs() {
         final var result = this.restTemplate.getForEntity(
-                "http://localhost:" + this.managementPort + "/actuator/v3/api-docs/swagger-config", String.class);
+                "http://localhost:" + this.managementPort + "/v3/api-docs/swagger-config", String.class);
         assertThat(result.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND); // permitted but not configured
     }
 
@@ -109,5 +109,4 @@ class WebSecurityConfigIntegrationTest {
                 "http://localhost:" + this.managementPort + "/actuator/metrics", Map.class);
         assertThat(result.getStatusCode()).isEqualTo(HttpStatus.OK);
     }
-
 }
diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml
index 344828e7..abf049a6 100644
--- a/src/test/resources/application.yml
+++ b/src/test/resources/application.yml
@@ -41,7 +41,9 @@ spring:
 
 # keep this in sync with main/.../application.yml
 springdoc:
-    use-management-port: true
+    # SwaggerUI must run on the same port as the API itself, otherwise CORS will block accessing the API
+    use-management-port: false
+
 
 logging:
     level: