diff --git a/brightIDfaucet/settings.py b/brightIDfaucet/settings.py
index 79dbf66..bafc6cb 100644
--- a/brightIDfaucet/settings.py
+++ b/brightIDfaucet/settings.py
@@ -7,6 +7,8 @@
 from dotenv import load_dotenv
 from sentry_sdk.integrations.django import DjangoIntegration
 
+from corsheaders.defaults import default_headers
+
 from faucet.faucet_manager.bright_id_interface import BrightIDInterface
 
 load_dotenv()
@@ -244,6 +246,15 @@ def before_send(event, hint):
 else:
     CORS_ALLOW_ALL_ORIGINS = True
 
+
+# Add Turnstile response headers for CORS
+# These headers are required for Cloudflare and HCaptcha Turnstile anti-bot service
+
+CORS_ALLOW_HEADERS = list(default_headers) + [
+    'cf-turnstile-response',
+    'hc-turnstile-response',
+]
+
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/4.0/howto/static-files/
 
diff --git a/core/constraints/captcha.py b/core/constraints/captcha.py
index 070ef11..7c29e3a 100644
--- a/core/constraints/captcha.py
+++ b/core/constraints/captcha.py
@@ -31,7 +31,7 @@ def is_observed(self, *args, **kwargs) -> bool:
             context["request"]
         )
 
-        turnstile_token = request_context.data.get("cf-turnstile-response")
+        turnstile_token = request_context.headers.get("cf-turnstile-response")
 
         return request_context.ip is not None and turnstile_token is not None and cloudflare.is_verified(
             turnstile_token, request_context.ip
@@ -60,7 +60,7 @@ def is_observed(self, *args, **kwargs) -> bool:
             context["request"]
         )
 
-        turnstile_token = request_context.data.get("cf-turnstile-response")
+        turnstile_token = request_context.headers.get("hc-turnstile-response")
 
         return request_context.ip is not None and turnstile_token is not None and hcaptcha.is_verified(
             turnstile_token, request_context.ip
diff --git a/core/constraints/zora.py b/core/constraints/zora.py
index bed49bd..6d791d0 100644
--- a/core/constraints/zora.py
+++ b/core/constraints/zora.py
@@ -12,8 +12,8 @@ class DidMintZoraNFT(ConstraintVerification):
     app_name = ConstraintApp.ZORA.value
     _param_keys = [ConstraintParam.ADDRESS]
 
-    def __init__(self, user_profile) -> None:
-        super().__init__(user_profile)
+    def __init__(self, user_profile, *, obj=None) -> None:
+        super().__init__(user_profile, obj=obj)
 
     def is_observed(self, *args, **kwargs) -> bool:
         zora_util = ZoraUtil()
diff --git a/prizetap/migrations/0079_fix_raffle_image_urls.py b/prizetap/migrations/0079_fix_raffle_image_urls.py
new file mode 100644
index 0000000..cf85d93
--- /dev/null
+++ b/prizetap/migrations/0079_fix_raffle_image_urls.py
@@ -0,0 +1,32 @@
+# Generated by Django 4.0.4 on 2024-08-25 09:12
+
+from django.db import migrations, models
+
+
+def fix_raffle_images_prefix(apps, schema):
+    Raffle = apps.get_model("prizetap", "Raffle")
+
+    raffles = Raffle.objects.all()
+
+    for raffle in raffles:
+        if (
+            raffle.image
+            and raffle.image.name
+            and raffle.image.name.startswith("https://imagedelivery.net")
+        ):
+            # split the url to get the image id
+            raffle.image.name = raffle.image.name.split("/")[-2]
+            raffle.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("prizetap", "0078_alter_constraint_name"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            fix_raffle_images_prefix, reverse_code=migrations.RunPython.noop
+        )
+    ]
diff --git a/tokenTap/migrations/0065_fix_token_image_prefix.py b/tokenTap/migrations/0065_fix_token_image_prefix.py
new file mode 100644
index 0000000..d1df6a4
--- /dev/null
+++ b/tokenTap/migrations/0065_fix_token_image_prefix.py
@@ -0,0 +1,40 @@
+# Generated by Django 4.0.4 on 2024-08-25 09:12
+
+from django.db import migrations, models
+
+
+def fix_token_images_prefix(apps, schema_editor):
+    TokenDistribution = apps.get_model("tokenTap", "TokenDistribution")
+
+    tokens = TokenDistribution.objects.all()
+
+    for token in tokens:
+        if (
+            token.image
+            and token.image.name
+            and token.image.name.startswith("https://imagedelivery.net")
+        ):
+            # split the url to get the image id
+            token.image.name = token.image.name.split("/")[-2]
+            token.save()
+
+        if (
+            token.token_image
+            and token.token_image.name
+            and token.token_image.name.startswith("https://imagedelivery.net")
+        ):
+            token.token_image.name = token.token_image.name.split("/")[-2]
+            token.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("tokenTap", "0064_alter_constraint_name"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            fix_token_images_prefix, reverse_code=migrations.RunPython.noop
+        )
+    ]