diff --git a/changelog.md b/changelog.md
index 05113f1..4e3d8dc 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,4 @@
-## Version 0.9.20
+## Version 0.9.20 - 0.9.21
  - Add option to disable CORS hardening (with empty value)
 
 ## Version 0.9.19
diff --git a/package.json b/package.json
index 79c2e6b..bcbcb59 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cosmos-server",
-  "version": "0.9.20",
+  "version": "0.9.21",
   "description": "",
   "main": "test-server.js",
   "bugs": {
diff --git a/src/proxy/routeTo.go b/src/proxy/routeTo.go
index 4be4ecc..e139507 100644
--- a/src/proxy/routeTo.go
+++ b/src/proxy/routeTo.go
@@ -97,12 +97,15 @@ func NewProxy(targetHost string, AcceptInsecureHTTPSTarget bool, VerboseForwardH
 	proxy.ModifyResponse = func(resp *http.Response) error {
 		utils.Debug("Response from backend: " + resp.Status)
 		utils.Debug("URL was " + resp.Request.URL.String())
-		
-		if !DisableHeaderHardening {
+
+		if CORSOrigin != "" {
 			resp.Header.Del("Access-Control-Allow-Origin")
 			resp.Header.Del("Access-Control-Allow-Methods")
 			resp.Header.Del("Access-Control-Allow-Headers")
 			resp.Header.Del("Access-Control-Allow-Credentials")
+		}
+		
+		if !DisableHeaderHardening {
 			resp.Header.Del("Strict-Transport-Security")
 			resp.Header.Del("X-Content-Type-Options")
 			resp.Header.Del("Content-Security-Policy")