diff --git a/safehttp/plugins/cors/cors.go b/safehttp/plugins/cors/cors.go
index bbb9ee7b..e36a6107 100644
--- a/safehttp/plugins/cors/cors.go
+++ b/safehttp/plugins/cors/cors.go
@@ -139,7 +139,7 @@ func (it *Interceptor) Before(w *safehttp.ResponseWriter, r *safehttp.IncomingRe
 func (it *Interceptor) preflight(setHeaders func(), w *safehttp.ResponseWriter, r *safehttp.IncomingRequest) safehttp.Result {
 	rh := r.Header
 	method := rh.Get("Access-Control-Request-Method")
-	if disallowedMethods[method] {
+	if method == "" || disallowedMethods[method] {
 		return w.ClientError(safehttp.StatusForbidden)
 	}
 	wh := w.Header()
diff --git a/safehttp/plugins/cors/cors_test.go b/safehttp/plugins/cors/cors_test.go
index 25e5603e..b1803596 100644
--- a/safehttp/plugins/cors/cors_test.go
+++ b/safehttp/plugins/cors/cors_test.go
@@ -500,6 +500,7 @@ func TestInvalidAccessControlRequestMethod(t *testing.T) {
 		safehttp.MethodGet,
 		safehttp.MethodHead,
 		safehttp.MethodPost,
+		"",
 	}
 
 	for _, m := range methods {