diff --git a/src/DruxtServiceProvider.php b/src/DruxtServiceProvider.php
index 9e1ef89..be3f995 100644
--- a/src/DruxtServiceProvider.php
+++ b/src/DruxtServiceProvider.php
@@ -16,7 +16,14 @@ class DruxtServiceProvider implements ServiceModifierInterface {
   public function alter(ContainerBuilder $container) {
     $cors_config = $container->getParameter('cors.config');
     if (!$cors_config['enabled']) {
+      // Enable CORS by default.
       $cors_config['enabled'] = TRUE;
+
+      // Set allowed headers to '*' by default when empty/undefined.
+      if (empty($cors_config['allowedHeaders'])) {
+        $cors_config['allowedHeaders'] = ['*'];
+      }
+
       $container->setParameter('cors.config', $cors_config);
     }
   }
diff --git a/tests/src/Functional/CorsIntegrationTest.php b/tests/src/Functional/CorsIntegrationTest.php
index e4d9cf6..927debb 100644
--- a/tests/src/Functional/CorsIntegrationTest.php
+++ b/tests/src/Functional/CorsIntegrationTest.php
@@ -27,6 +27,7 @@ class CorsIntegrationTest extends BrowserTestBase {
   public function testCrossSiteRequestEnabled() {
     $cors_config = $this->container->getParameter('cors.config');
     $this->assertTrue($cors_config['enabled']);
+    $this->assertContains('*', $cors_config['allowedHeaders']);
   }
 
 }