diff --git a/lib/http-server.js b/lib/http-server.js
index 7e3e06df1..8926001bf 100644
--- a/lib/http-server.js
+++ b/lib/http-server.js
@@ -67,15 +67,13 @@ function HttpServer(options) {
   });
 
   if (options.cors) {
-    this.headers['Access-Control-Allow-Origin'] = '*';
-    this.headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Range';
-    if (options.corsHeaders) {
-      options.corsHeaders.split(/\s*,\s*/)
-          .forEach(function (h) { this.headers['Access-Control-Allow-Headers'] += ', ' + h; }, this);
-    }
-    before.push(corser.create(options.corsHeaders ? {
-      requestHeaders: this.headers['Access-Control-Allow-Headers'].split(/\s*,\s*/)
-    } : null));
+    var allowedHeaders =
+      ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'Range']
+        .concat(options.corsHeaders ? options.corsHeaders.split(', ') : []);
+
+    before.push(corser.create({
+      requestHeaders: allowedHeaders
+    }));
   }
 
   if (options.robots) {
diff --git a/test/http-server-test.js b/test/http-server-test.js
index e64f04e1d..e0f41f5dd 100644
--- a/test/http-server-test.js
+++ b/test/http-server-test.js
@@ -135,7 +135,27 @@ vows.describe('http-server').addBatch({
       server.listen(8082);
       this.callback(null, server);
     },
-    'and given OPTIONS request': {
+    'and given OPTIONS request with an allowed (and custom) header': {
+      topic: function () {
+        request({
+          method: 'OPTIONS',
+          uri: 'http://127.0.0.1:8082/',
+          headers: {
+            'Access-Control-Request-Method': 'GET',
+            Origin: 'http://example.com',
+            'Access-Control-Request-Headers': 'X-Test'
+          }
+        }, this.callback);
+      },
+      'status code should be 204': function (err, res) {
+        assert.equal(res.statusCode, 204);
+      },
+      'response Access-Control-Allow-Headers should contain X-Test and allow the origin': function (err, res) {
+        assert.ok(/\bX-Test\b/i.test(res.headers['access-control-allow-headers']));
+        assert.ok(res.headers['access-control-allow-origin'] === '*');
+      }
+    },
+    'and given OPTIONS request with a disallowed header': {
       topic: function () {
         request({
           method: 'OPTIONS',
@@ -150,8 +170,9 @@ vows.describe('http-server').addBatch({
       'status code should be 204': function (err, res) {
         assert.equal(res.statusCode, 204);
       },
-      'response Access-Control-Allow-Headers should contain X-Test': function (err, res) {
-        assert.ok(res.headers['access-control-allow-headers'].split(/\s*,\s*/g).indexOf('X-Test') >= 0, 204);
+      'Should not allow the origin': function (err, res) {
+        assert.ok(res.headers['access-control-allow-headers'] === undefined);
+        assert.ok(res.headers['access-control-allow-origin'] === undefined);
       }
     }
   }