diff --git a/internal/nodes/http_request.go b/internal/nodes/http_request.go
index f52075a..584d284 100644
--- a/internal/nodes/http_request.go
+++ b/internal/nodes/http_request.go
@@ -1728,7 +1728,7 @@ func (this *HTTPRequest) processResponseHeaders(responseHeader http.Header, stat
 		}
 
 		// CORS
-		if this.web.ResponseHeaderPolicy.CORS != nil && this.web.ResponseHeaderPolicy.CORS.IsOn {
+		if this.web.ResponseHeaderPolicy.CORS != nil && this.web.ResponseHeaderPolicy.CORS.IsOn && (!this.web.ResponseHeaderPolicy.CORS.OptionsMethodOnly || this.RawReq.Method == http.MethodOptions) {
 			var corsConfig = this.web.ResponseHeaderPolicy.CORS
 
 			// Allow-Origin
@@ -1753,6 +1753,16 @@ func (this *HTTPRequest) processResponseHeaders(responseHeader http.Header, stat
 				responseHeader.Set("Access-Control-Max-Age", types.String(corsConfig.MaxAge))
 			}
 
+			// Expose-Headers
+			if len(corsConfig.ExposeHeaders) > 0 {
+				responseHeader.Set("Access-Control-Expose-Headers", strings.Join(corsConfig.ExposeHeaders, ", "))
+			}
+
+			// Request-Method
+			if len(corsConfig.RequestMethod) > 0 {
+				responseHeader.Set("Access-Control-Request-Method", strings.ToUpper(corsConfig.RequestMethod))
+			}
+
 			// Allow-Credentials
 			responseHeader.Set("Access-Control-Allow-Credentials", "true")
 		}