diff --git a/src/ESPAsyncWebServer.h b/src/ESPAsyncWebServer.h
index 311680d..8922ea7 100644
--- a/src/ESPAsyncWebServer.h
+++ b/src/ESPAsyncWebServer.h
@@ -745,6 +745,8 @@ class CorsMiddleware : public AsyncMiddleware {
     void setAllowCredentials(bool credentials) { _credentials = credentials; }
     void setMaxAge(uint32_t seconds) { _maxAge = seconds; }
 
+    void addCORSHeaders(AsyncWebServerResponse* response);
+
     void run(AsyncWebServerRequest* request, ArMiddlewareNext next);
 
   private:
diff --git a/src/Middlewares.cpp b/src/Middlewares.cpp
index 6f8dc2c..1f0252a 100644
--- a/src/Middlewares.cpp
+++ b/src/Middlewares.cpp
@@ -58,16 +58,34 @@ void LoggingMiddleware::run(AsyncWebServerRequest* request, ArMiddlewareNext nex
   }
 }
 
+void CorsMiddleware::addCORSHeaders(AsyncWebServerResponse* response) {
+  response->addHeader(F("Access-Control-Allow-Origin"), _origin.c_str());
+  response->addHeader(F("Access-Control-Allow-Methods"), _methods.c_str());
+  response->addHeader(F("Access-Control-Allow-Headers"), _headers.c_str());
+  response->addHeader(F("Access-Control-Allow-Credentials"), _credentials ? F("true") : F("false"));
+  response->addHeader(F("Access-Control-Max-Age"), String(_maxAge).c_str());
+}
+
 void CorsMiddleware::run(AsyncWebServerRequest* request, ArMiddlewareNext next) {
-  if (request->method() == HTTP_OPTIONS && request->hasHeader(F("Origin"))) {
-    AsyncWebServerResponse* response = request->beginResponse(200);
-    response->addHeader(F("Access-Control-Allow-Origin"), _origin.c_str());
-    response->addHeader(F("Access-Control-Allow-Methods"), _methods.c_str());
-    response->addHeader(F("Access-Control-Allow-Headers"), _headers.c_str());
-    response->addHeader(F("Access-Control-Allow-Credentials"), _credentials ? F("true") : F("false"));
-    response->addHeader(F("Access-Control-Max-Age"), String(_maxAge).c_str());
-    request->send(response);
+  // Origin header ? => CORS handling
+  if (request->hasHeader(F("Origin"))) {
+    // check if this is a preflight request => handle it and return
+    if (request->method() == HTTP_OPTIONS) {
+      AsyncWebServerResponse* response = request->beginResponse(200);
+      addCORSHeaders(response);
+      request->send(response);
+      return;
+    }
+
+    // CORS request, no options => let the request pass and add CORS headers after
+    next();
+    AsyncWebServerResponse* response = request->getResponse();
+    if (response) {
+      addCORSHeaders(response);
+    }
+
   } else {
+    // NO Origin header => no CORS handling
     next();
   }
 }