diff --git a/s3/s3.go b/s3/s3.go
index 6cde7c0ff732325d145071704815419a488caefb..c086f6836bf4268920d15040a9c6b0bbdc119116 100644
--- a/s3/s3.go
+++ b/s3/s3.go
@@ -54,6 +54,9 @@ const (
 	// MIMETypeImage defines the constant for the Image MIME type.
 	MIMETypeImage MIMEType = "image/*"
 
+	// MIMETypePNG defines the constant for the PNG MIME type.
+	MIMETypePNG MIMEType = "image/png"
+
 	// MIMETypeDefault defines the constant for the default MIME type.
 	MIMETypeDefault MIMEType = "application/octet-stream"
 
@@ -318,12 +321,19 @@ func (s SessionWithHelpers) DeleteObjectFromBucket(bucket string, fileName strin
 }
 
 func GetS3FileKey(fileName string, folder string) string {
+	var fileKey string
+
 	// Trim leading and trailing slashes
 	fileName = strings.TrimLeft(fileName, "/")
 	fileName = strings.TrimRight(fileName, "/")
 
-	folder = strings.TrimLeft(folder, "/")
-	folder = strings.TrimRight(folder, "/")
+	if folder != "" {
+		folder = strings.TrimLeft(folder, "/")
+		folder = strings.TrimRight(folder, "/")
+		fileKey += "/" + folder
+	}
+
+	fileKey += "/" + fileName
 
-	return "/" + folder + "/" + fileName
+	return fileKey
 }
diff --git a/utils/utils.go b/utils/utils.go
index beac7f4f8636c9ca49457fb984ec785d635fd690..7ad02bb22dde9973a52b8971599452e14ec2dde9 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -28,7 +28,7 @@ func CorsHeaders() map[string]string {
 	return map[string]string{
 		"Access-Control-Allow-Origin": "*",
 		// do not wildcard: https://stackoverflow.com/questions/13146892/cors-access-control-allow-headers-wildcard-being-ignored
-		"Access-Control-Allow-Headers":     "Accept, Accept-CH, Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Ext, Accept-Features, Accept-Language, Accept-Params, Accept-Ranges, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Age, Allow, Alternates, Authentication-Info, Authorization, C-Ext, C-Man, C-Opt, C-PEP, C-PEP-Info, CONNECT, Cache-Control, Compliance, Connection, Content-Base, Content-Disposition, Content-Encoding, Content-ID, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Script-Type, Content-Security-Policy, Content-Style-Type, Content-Transfer-Encoding, Content-Type, Content-Version, Cookie, Cost, DAV, DELETE, DNT, DPR, Date, Default-Style, Delta-Base, Depth, Derived-From, Destination, Differential-ID, Digest, ETag, Expect, Expires, Ext, From, GET, GetProfile, HEAD, HTTP-date, Host, IM, If, If-Match, If-Modified-Since, If-None-Match, If-Range, If-Unmodified-Since, Keep-Alive, Label, Last-Event-ID, Last-Modified, Link, Location, Lock-Token, MIME-Version, Man, Max-Forwards, Media-Range, Message-ID, Meter, Negotiate, Non-Compliance, OPTION, OPTIONS, OWS, Opt, Optional, Ordering-Type, Origin, Overwrite, P3P, PEP, PICS-Label, POST, PUT, Pep-Info, Permanent, Position, Pragma, ProfileObject, Protocol, Protocol-Query, Protocol-Request, Proxy-Authenticate, Proxy-Authentication-Info, Proxy-Authorization, Proxy-Features, Proxy-Instruction, Public, RWS, Range, Referer, Refresh, Resolution-Hint, Resolver-Location, Retry-After, Safe, Sec-Websocket-Extensions, Sec-Websocket-Key, Sec-Websocket-Origin, Sec-Websocket-Protocol, Sec-Websocket-Version, Security-Scheme, Server, Set-Cookie, Set-Cookie2, SetProfile, SoapAction, Status, Status-URI, Strict-Transport-Security, SubOK, Subst, Surrogate-Capability, Surrogate-Control, TCN, TE, TRACE, Timeout, Title, Trailer, Transfer-Encoding, UA-Color, UA-Media, UA-Pixels, UA-Resolution, UA-Windowpixels, URI, Upgrade, User-Agent, Variant-Vary, Vary, Version, Via, Viewport-Width, WWW-Authenticate, Want-Digest, Warning, Width, X-Content-Duration, X-Content-Security-Policy, X-Content-Type-Options, X-CustomHeader, X-DNSPrefetch-Control, X-Forwarded-For, X-Forwarded-Port, X-Forwarded-Proto, X-Frame-Options, X-Modified, X-OTHER, X-PING, X-PINGOTHER, X-Powered-By, X-Requested-With",
+		"Access-Control-Allow-Headers":     "authorization, content-type, referer, sec-ch-ua, sec-ch-ua-mobile, sec-ch-ua-platform, user-agent, x-amz-date, x-amz-security-token",
 		"Access-Control-Allow-Methods":     "OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD",
 		"Access-Control-Max-Age":           "86400",
 		"Access-Control-Allow-Credentials": "true",