diff --git a/defaults/main.yml b/defaults/main.yml
index 6313fd0..b528949 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -91,7 +91,7 @@ nginx_client_body_timeout: 240s
 
 nginx_cors_enabled: false
 nginx_cors_global: true
-nginx_cors_limit_origin: true
+nginx_cors_limit_origin: false
 nginx_cors_extended_rules: false
 nginx_cors_acl_origin: 'http?://(localhost)'
 nginx_access_control_allow_origin_src: "*"
diff --git a/templates/nginx-cors.conf.j2 b/templates/nginx-cors.conf.j2
index aac2ca8..d4bb229 100644
--- a/templates/nginx-cors.conf.j2
+++ b/templates/nginx-cors.conf.j2
@@ -61,8 +61,8 @@ if ($request_method = OPTIONS ) {
 {% if nginx_cors_limit_origin %}
 add_header 'Access-Control-Allow-Credentials' 'true';
 {% endif %}
-add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
-add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
-add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
+add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}' always;
+add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}' always;
+add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}' always;
 {% endif %}