diff --git a/src/ESPAsyncWebServer.h b/src/ESPAsyncWebServer.h
index 7d5eea17e..9c150dbaa 100644
--- a/src/ESPAsyncWebServer.h
+++ b/src/ESPAsyncWebServer.h
@@ -891,7 +891,13 @@ class AsyncCorsMiddleware : public AsyncMiddleware {
     _maxAge = seconds;
   }
 
-  void addCORSHeaders(AsyncWebServerResponse *response);
+#ifndef ESP8266
+  [[deprecated("Use instead: addCORSHeaders(AsyncWebServerRequest *request, AsyncWebServerResponse *response)")]]
+#endif
+  void addCORSHeaders(AsyncWebServerResponse *response) {
+    addCORSHeaders(nullptr, response);
+  }
+  void addCORSHeaders(AsyncWebServerRequest *request, AsyncWebServerResponse *response);
 
   void run(AsyncWebServerRequest *request, ArMiddlewareNext next);
 
diff --git a/src/Middleware.cpp b/src/Middleware.cpp
index 5e9c3c274..769e29e2b 100644
--- a/src/Middleware.cpp
+++ b/src/Middleware.cpp
@@ -228,8 +228,13 @@ void AsyncLoggingMiddleware::run(AsyncWebServerRequest *request, ArMiddlewareNex
   }
 }
 
-void AsyncCorsMiddleware::addCORSHeaders(AsyncWebServerResponse *response) {
-  response->addHeader(asyncsrv::T_CORS_ACAO, _origin.c_str());
+void AsyncCorsMiddleware::addCORSHeaders(AsyncWebServerRequest *request, AsyncWebServerResponse *response) {
+  if (request != nullptr && _credentials && _origin == "*") {
+    // cannot use wildcard when allowing credentials
+    response->addHeader(asyncsrv::T_CORS_ACAO, request->header(asyncsrv::T_CORS_O).c_str());
+  } else {
+    response->addHeader(asyncsrv::T_CORS_ACAO, _origin.c_str());
+  }
   response->addHeader(asyncsrv::T_CORS_ACAM, _methods.c_str());
   response->addHeader(asyncsrv::T_CORS_ACAH, _headers.c_str());
   response->addHeader(asyncsrv::T_CORS_ACAC, _credentials ? asyncsrv::T_TRUE : asyncsrv::T_FALSE);
@@ -242,7 +247,7 @@ void AsyncCorsMiddleware::run(AsyncWebServerRequest *request, ArMiddlewareNext n
     // check if this is a preflight request => handle it and return
     if (request->method() == HTTP_OPTIONS) {
       AsyncWebServerResponse *response = request->beginResponse(200);
-      addCORSHeaders(response);
+      addCORSHeaders(request, response);
       request->send(response);
       return;
     }
@@ -251,7 +256,7 @@ void AsyncCorsMiddleware::run(AsyncWebServerRequest *request, ArMiddlewareNext n
     next();
     AsyncWebServerResponse *response = request->getResponse();
     if (response) {
-      addCORSHeaders(response);
+      addCORSHeaders(request, response);
     }
 
   } else {