diff --git a/backend/server/main/settings.py b/backend/server/main/settings.py
index 073fd77..f707af4 100644
--- a/backend/server/main/settings.py
+++ b/backend/server/main/settings.py
@@ -295,6 +295,8 @@ CORS_ALLOWED_ORIGINS = [origin.strip() for origin in getenv('CSRF_TRUSTED_ORIGIN
 
 CSRF_TRUSTED_ORIGINS = [origin.strip() for origin in getenv('CSRF_TRUSTED_ORIGINS', 'http://localhost').split(',') if origin.strip()]
 
+CORS_ALLOW_CREDENTIALS = True
+
 DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
 
 LOGGING = {
diff --git a/frontend/src/routes/gpx/[file]/+server.ts b/frontend/src/routes/gpx/[file]/+server.ts
deleted file mode 100644
index 9edaa38..0000000
--- a/frontend/src/routes/gpx/[file]/+server.ts
+++ /dev/null
@@ -1,22 +0,0 @@
-const PUBLIC_SERVER_URL = process.env['PUBLIC_SERVER_URL'];
-const endpoint = PUBLIC_SERVER_URL || 'http://localhost:8000';
-
-/** @type {import('./$types').RequestHandler} */
-export async function GET(event) {
-	let sessionid = event.cookies.get('sessionid');
-	let fileName = event.params.file;
-	let res = await fetch(`${endpoint}/media/attachments/${fileName}`, {
-		method: 'GET',
-		headers: {
-			'Content-Type': 'application/json',
-			Cookie: `sessionid=${sessionid}`
-		}
-	});
-	let data = await res.text();
-	return new Response(data, {
-		status: res.status,
-		headers: {
-			'Content-Type': 'application/xml'
-		}
-	});
-}
diff --git a/frontend/src/routes/locations/[id]/+page.svelte b/frontend/src/routes/locations/[id]/+page.svelte
index be01d95..203474f 100644
--- a/frontend/src/routes/locations/[id]/+page.svelte
+++ b/frontend/src/routes/locations/[id]/+page.svelte
@@ -45,7 +45,9 @@
 			const promises = gpxfiles.map(async (gpxfile) => {
 				try {
 					const gpxFileName = gpxfile.split('/').pop();
-					const res = await fetch('/gpx/' + gpxFileName);
+					const res = await fetch(gpxfile, {
+						credentials: 'include'
+					});
 
 					if (!res.ok) {
 						console.error(`Failed to fetch GPX file: ${gpxFileName}`);