diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml
index 16b1ef02..495a0004 100644
--- a/nginx/defaults/main.yml
+++ b/nginx/defaults/main.yml
@@ -65,7 +65,12 @@ nginx_cors_global: True
 nginx_cors_limit_origin: True
 nginx_cors_extended_rules: False
 nginx_cors_acl_origin: 'http?://(localhost)'
+# Possible methods:
+# CONNECT, DEBUG, DELETE, DONE, GET, HEAD, HTTP, HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2, OPTIONS, ORIGIN, ORIGINS, PATCH, POST, PUT, QUIC, REST, SESSION, SHOULD, SPDY, TRACE, TRACK
 nginx_cors_allowed_methods: 'GET, POST, OPTIONS'
+# Possible headers:
+# 'Accept, Accept-CH, Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Ext, Accept-Features, Accept-Language, Accept-Params, Accept-Ranges, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Age, Allow, Alternates, Authentication-Info, Authorization, C-Ext, C-Man, C-Opt, C-PEP, C-PEP-Info, CONNECT, Cache-Control, Compliance, Connection, Content-Base, Content-Disposition, Content-Encoding, Content-ID, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Script-Type, Content-Security-Policy, Content-Style-Type, Content-Transfer-Encoding, Content-Type, Content-Version, Cookie, Cost, DAV, DELETE, DNT, DPR, Date, Default-Style, Delta-Base, Depth, Derived-From, Destination, Differential-ID, Digest, ETag, Expect, Expires, Ext, From, GET, GetProfile, HEAD, HTTP-date, Host, IM, If, If-Match, If-Modified-Since, If-None-Match, If-Range, If-Unmodified-Since, Keep-Alive, Label, Last-Event-ID, Last-Modified, Link, Location, Lock-Token, MIME-Version, Man, Max-Forwards, Media-Range, Message-ID, Meter, Negotiate, Non-Compliance, OPTION, OPTIONS, OWS, Opt, Optional, Ordering-Type, Origin, Overwrite, P3P, PEP, PICS-Label, POST, PUT, Pep-Info, Permanent, Position, Pragma, ProfileObject, Protocol, Protocol-Query, Protocol-Request, Proxy-Authenticate, Proxy-Authentication-Info, Proxy-Authorization, Proxy-Features, Proxy-Instruction, Public, RWS, Range, Referer, Refresh, Resolution-Hint, Resolver-Location, Retry-After, Safe, Sec-Websocket-Extensions, Sec-Websocket-Key, Sec-Websocket-Origin, Sec-Websocket-Protocol, Sec-Websocket-Version, Security-Scheme, Server, Set-Cookie, Set-Cookie2, SetProfile, SoapAction, Status, Status-URI, Strict-Transport-Security, SubOK, Subst, Surrogate-Capability, Surrogate-Control, TCN, TE, TRACE, Timeout, Title, Trailer, Transfer-Encoding, UA-Color, UA-Media, UA-Pixels, UA-Resolution, UA-Windowpixels, URI, Upgrade, User-Agent, Variant-Vary, Vary, Version, Via, Viewport-Width, WWW-Authenticate, Want-Digest, Warning, Width, X-Content-Duration, X-Content-Security-Policy, X-Content-Type-Options, X-CustomHeader, X-DNSPrefetch-Control, X-Forwarded-For, X-Forwarded-Port, X-Forwarded-Proto, X-Frame-Options, X-Modified, X-OTHER, X-PING, X-PINGOTHER, X-Powered-By, X-Requested-With'
+nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range'
 
 # Find a set of acceptable defaults for the cache setup
 nginx_cache_enabled: False
diff --git a/nginx/templates/nginx-cors.conf.j2 b/nginx/templates/nginx-cors.conf.j2
index 83c36d6f..7c15ee45 100644
--- a/nginx/templates/nginx-cors.conf.j2
+++ b/nginx/templates/nginx-cors.conf.j2
@@ -2,15 +2,15 @@
 if ($request_method = 'OPTIONS') {
 {% if nginx_cors_limit_origin %}
     add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
-    add_header 'Access-Control-Allow-Credentials' 'true';
 {% else %}
     add_header 'Access-Control-Allow-Origin' '*';
 {% endif %}
+    add_header 'Access-Control-Allow-Credentials' 'true';
     add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
     #
     # Custom headers and headers various browsers *should* be OK with but aren't
     #
-    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range';
+    add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
     #
     # Tell client that this pre-flight info is valid for 20 days
     #
@@ -27,8 +27,8 @@ if ($request_method = 'POST') {
     add_header 'Access-Control-Allow-Origin' '*';
 {% endif %}
     add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
-    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range';
-    add_header 'Access-Control-Expose-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range';
+    add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
+    add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
 }
 if ($request_method = 'GET') {
 {% if nginx_cors_limit_origin %}
@@ -38,23 +38,22 @@ if ($request_method = 'GET') {
     add_header 'Access-Control-Allow-Origin' '*';
 {% endif %}
     add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
-    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range';
-    add_header 'Access-Control-Expose-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range';
+    add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
+    add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
 }
 {% else %}
 {% if nginx_cors_limit_origin %}
 add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
-add_header 'Access-Control-Allow-Credentials' 'true';
 {% else %}
 add_header 'Access-Control-Allow-Origin' '*';
 {% endif %}
-add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
-add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range';
-add_header 'Access-Control-Expose-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,Accept-Language,X-CustomHeader,Content-Range,Range';
-{% if nginx_cors_limit_origin %}
-if ($request_method = 'OPTIONS') {
+if ($request_method = OPTIONS ) {
     return 204;
 }
+add_header 'Access-Control-Allow-Credentials' 'true';
+add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
+add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
+add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
 {% endif %}
 {% endif %}