diff --git a/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java b/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java
index 2e3528fcbdd..cc82eb8e908 100644
--- a/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java
+++ b/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java
@@ -37,7 +37,8 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
             if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
                 // CORS "pre-flight" request
                 response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
-                response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token");
+                response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token,x-xsrf-token");
+                return;
             }
         }
 
diff --git a/orcid-web/src/main/resources/orcid-frontend-security.xml b/orcid-web/src/main/resources/orcid-frontend-security.xml
index 95337fbdd50..205a09a9671 100644
--- a/orcid-web/src/main/resources/orcid-frontend-security.xml
+++ b/orcid-web/src/main/resources/orcid-frontend-security.xml
@@ -249,6 +249,7 @@
 		<sec:headers>
 			<sec:frame-options policy="SAMEORIGIN" />
 		</sec:headers>
+		<sec:custom-filter position="CORS_FILTER" ref="corsFilterWeb" />
 		<sec:custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />
 		<sec:intercept-url pattern="/"
 			access="IS_AUTHENTICATED_ANONYMOUSLY" />