diff --git a/internal/controller/shared_controller.go b/internal/controller/shared_controller.go
index 3a494d5..f102cd0 100644
--- a/internal/controller/shared_controller.go
+++ b/internal/controller/shared_controller.go
@@ -831,14 +831,12 @@ func mutateCorsHeadersMiddleware[R Reconciler, O pdoknlv3.WMSWFS](r R, obj O, mi
 		Headers: &traefikdynamic.Headers{
 			CustomResponseHeaders: map[string]string{
 				"Access-Control-Allow-Headers": "Content-Type",
-				"Access-Control-Allow-Method":  "GET, HEAD, OPTIONS",
+				"Access-Control-Allow-Method":  "GET, POST, OPTIONS",
 				"Access-Control-Allow-Origin":  "*",
 				"Cache-Control":                "public, max-age=3600, no-transform",
 			},
 		},
 	}
-	// TODO - do we need this in WFS/WMS
-	// middleware.Spec.Headers.FrameDeny = true
 
 	if err := smoothoperatorutils.EnsureSetGVK(reconcilerClient, middleware, middleware); err != nil {
 		return err
diff --git a/internal/controller/wfs_controller_test.go b/internal/controller/wfs_controller_test.go
index 7d22550..af75693 100644
--- a/internal/controller/wfs_controller_test.go
+++ b/internal/controller/wfs_controller_test.go
@@ -491,7 +491,7 @@ var _ = Describe("WFS Controller", func() {
 			checkWFSLabels(middlewareCorsHeaders.GetLabels())
 			// Expect(middlewareCorsHeaders.Spec.Headers.FrameDeny).Should(Equal(true))
 			Expect(middlewareCorsHeaders.Spec.Headers.CustomResponseHeaders["Access-Control-Allow-Headers"]).Should(Equal("Content-Type"))
-			Expect(middlewareCorsHeaders.Spec.Headers.CustomResponseHeaders["Access-Control-Allow-Method"]).Should(Equal("GET, HEAD, OPTIONS"))
+			Expect(middlewareCorsHeaders.Spec.Headers.CustomResponseHeaders["Access-Control-Allow-Method"]).Should(Equal("GET, POST, OPTIONS"))
 			Expect(middlewareCorsHeaders.Spec.Headers.CustomResponseHeaders["Access-Control-Allow-Origin"]).Should(Equal("*"))
 		})
 
diff --git a/internal/controller/wms_controller_test.go b/internal/controller/wms_controller_test.go
index 20d9c88..be23638 100644
--- a/internal/controller/wms_controller_test.go
+++ b/internal/controller/wms_controller_test.go
@@ -719,7 +719,7 @@ var _ = Describe("WMS Controller", func() {
 			checkWMSLabels(middlewareCorsHeaders.GetLabels())
 			// Expect(middlewareCorsHeaders.Spec.Headers.FrameDeny).Should(Equal(true))
 			Expect(middlewareCorsHeaders.Spec.Headers.CustomResponseHeaders["Access-Control-Allow-Headers"]).Should(Equal("Content-Type"))
-			Expect(middlewareCorsHeaders.Spec.Headers.CustomResponseHeaders["Access-Control-Allow-Method"]).Should(Equal("GET, HEAD, OPTIONS"))
+			Expect(middlewareCorsHeaders.Spec.Headers.CustomResponseHeaders["Access-Control-Allow-Method"]).Should(Equal("GET, POST, OPTIONS"))
 			Expect(middlewareCorsHeaders.Spec.Headers.CustomResponseHeaders["Access-Control-Allow-Origin"]).Should(Equal("*"))
 		})