diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml
index b6a3d18..6aaef47 100644
--- a/nginx/defaults/main.yml
+++ b/nginx/defaults/main.yml
@@ -58,7 +58,7 @@ nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}'
 nginx_client_max_body_size: 100M
 nginx_client_body_timeout: 240s
 
-nginx_cors_limit_origin: False
+nginx_cors_limit_origin: True
 nginx_cors_extended_rules: False
 nginx_cors_acl_origin: 'http?://(localhost)'
 
diff --git a/nginx/templates/nginx-cors.conf.j2 b/nginx/templates/nginx-cors.conf.j2
index 75b93a6..b3e8f4b 100644
--- a/nginx/templates/nginx-cors.conf.j2
+++ b/nginx/templates/nginx-cors.conf.j2
@@ -1,7 +1,7 @@
 {% if nginx_cors_extended_rules %}
 if ($request_method = 'OPTIONS') {
 {% if nginx_cors_limit_origin %}
-    add_header 'Access-Control-Allow-Origin' "{{ nginx_cors_acl_origin | default('$http_origin') }}";
+    add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
     add_header 'Access-Control-Allow-Credentials' 'true';
 {% else %}
     add_header 'Access-Control-Allow-Origin' '*';
@@ -21,7 +21,7 @@ if ($request_method = 'OPTIONS') {
 }
 if ($request_method = 'POST') {
 {% if nginx_cors_limit_origin %}
-    add_header 'Access-Control-Allow-Origin' "{{ nginx_cors_acl_origin | default('$http_origin') }}";
+    add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
     add_header 'Access-Control-Allow-Credentials' 'true';
 {% else %}
     add_header 'Access-Control-Allow-Origin' '*';
@@ -32,7 +32,7 @@ if ($request_method = 'POST') {
 }
 if ($request_method = 'GET') {
 {% if nginx_cors_limit_origin %}
-    add_header 'Access-Control-Allow-Origin' "{{ nginx_cors_acl_origin | default('$http_origin') }}";
+    add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
     add_header 'Access-Control-Allow-Credentials' 'true';
 {% else %}
     add_header 'Access-Control-Allow-Origin' '*';