diff --git a/docs/README.md b/docs/README.md
index 831a01957..8b595b256 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -1980,7 +1980,7 @@ Function used to check whether a given CORS request should be allowed based on t
 _**default value**_:
 ```js
 function clientBasedCORS(ctx, origin, client) {
-  return true;
+  return false;
 }
 ```
 
diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
index e706c8de1..070044538 100644
--- a/lib/helpers/defaults.js
+++ b/lib/helpers/defaults.js
@@ -36,8 +36,8 @@ async function audiences(ctx, sub, token, use) { // eslint-disable-line no-unuse
 }
 
 function clientBasedCORS(ctx, origin, client) { // eslint-disable-line no-unused-vars
-  shouldChange('clientBasedCORS', 'control CORS allowed Origins based on the client making a CORS request');
-  return true;
+  mustChange('clientBasedCORS', 'control CORS allowed Origins based on the client making a CORS request');
+  return false;
 }
 
 /* istanbul ignore next */
diff --git a/test/cors/cors.test.js b/test/cors/cors.test.js
index faa5c0e6a..b943ac370 100644
--- a/test/cors/cors.test.js
+++ b/test/cors/cors.test.js
@@ -103,7 +103,18 @@ describe('CORS setup', () => {
     expect(headers[ACAHeaders]).to.eql('foo');
   });
 
-  describe('with clientBasedCORS true (default)', () => {
+  describe('with clientBasedCORS resolving to true', () => {
+    before(function () {
+      const conf = i(this.provider).configuration();
+      this.clientBasedCORS = conf.clientBasedCORS;
+      conf.clientBasedCORS = () => true;
+    });
+
+    after(function () {
+      const conf = i(this.provider).configuration();
+      conf.clientBasedCORS = this.clientBasedCORS;
+    });
+
     it('userinfo has cors open', async function () {
       const { status, headers } = await req.call(
         this,
@@ -281,17 +292,7 @@ describe('CORS setup', () => {
     });
   });
 
-  describe('with clientBasedCORS false', () => {
-    before(function () {
-      const conf = i(this.provider).configuration();
-      conf.clientBasedCORS = () => false;
-    });
-
-    after(function () {
-      const conf = i(this.provider).configuration();
-      conf.clientBasedCORS = () => true;
-    });
-
+  describe('with clientBasedCORS false (default)', () => {
     it('userinfo has cors closed', async function () {
       const { status, headers } = await req.call(
         this,