diff --git a/crates/router/src/cors.rs b/crates/router/src/cors.rs
index 9baa4484ee43..21293301b952 100644
--- a/crates/router/src/cors.rs
+++ b/crates/router/src/cors.rs
@@ -7,6 +7,7 @@ pub fn cors(config: settings::CorsSettings) -> actix_cors::Cors {
 
     let mut cors = actix_cors::Cors::default()
         .allowed_methods(allowed_methods)
+        .allow_any_header()
         .max_age(config.max_age);
 
     if config.wildcard_origin {
@@ -15,6 +16,8 @@ pub fn cors(config: settings::CorsSettings) -> actix_cors::Cors {
         for origin in &config.origins {
             cors = cors.allowed_origin(origin);
         }
+        // Only allow this in case if it's not wildcard origins. ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
+        cors = cors.supports_credentials();
     }
 
     cors