diff --git a/nginx/templates/nginx-cors.conf.j2 b/nginx/templates/nginx-cors.conf.j2
index 7c15ee45..1f3af869 100644
--- a/nginx/templates/nginx-cors.conf.j2
+++ b/nginx/templates/nginx-cors.conf.j2
@@ -22,10 +22,10 @@ if ($request_method = 'OPTIONS') {
 if ($request_method = 'POST') {
 {% if nginx_cors_limit_origin %}
     add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
-    add_header 'Access-Control-Allow-Credentials' 'true';
 {% else %}
     add_header 'Access-Control-Allow-Origin' '*';
 {% endif %}
+    add_header 'Access-Control-Allow-Credentials' 'true';
     add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
     add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
     add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
@@ -33,10 +33,10 @@ if ($request_method = 'POST') {
 if ($request_method = 'GET') {
 {% if nginx_cors_limit_origin %}
     add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
-    add_header 'Access-Control-Allow-Credentials' 'true';
 {% else %}
     add_header 'Access-Control-Allow-Origin' '*';
 {% endif %}
+    add_header 'Access-Control-Allow-Credentials' 'true';
     add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
     add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
     add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
@@ -55,5 +55,4 @@ add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_allowed_methods }}';
 add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_allowed_headers }}';
 add_header 'Access-Control-Expose-Headers' '{{ nginx_cors_allowed_headers }}';
 {% endif %}
-{% endif %}