diff --git a/docs/settings.md b/docs/settings.md
index 9349235..f705b36 100644
--- a/docs/settings.md
+++ b/docs/settings.md
@@ -59,5 +59,6 @@ In version `6.0.0` we've renamed the PG configuration variable to match the offi
 - `CORS_ORIGINS`: A list of origins that should be permitted to make cross-origin requests. Defaults to `*`
 - `CORS_METHODS`: A list of HTTP methods that should be allowed for cross-origin requests. Defaults to `"GET,POST,OPTIONS"`
 - `CORS_CREDENTIALS`: Set to `true` to enable credentials via CORS requests. Note that you'll need to set `CORS_ORIGINS` to something other than `*`, because credentials are [disallowed](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSNotSupportingCredentials) for wildcard CORS origins.
+- `CORS_HEADERS`: If `CORS_CREDENTIALS` are true and you're using an `Authorization` header, set this to `Content-Type,Authorization`. Alternatively, you can allow all headers by setting this to `*`.
 - `USE_API_HYDRATE`: perform hydration of stac items within stac-fastapi
 - `INVALID_ID_CHARS`: list of characters that are not allowed in item or collection ids (used in Transaction endpoints)
diff --git a/stac_fastapi/pgstac/app.py b/stac_fastapi/pgstac/app.py
index b8e3933..5bfda23 100644
--- a/stac_fastapi/pgstac/app.py
+++ b/stac_fastapi/pgstac/app.py
@@ -187,6 +187,7 @@ async def lifespan(app: FastAPI):
             allow_origins=settings.cors_origins,
             allow_methods=settings.cors_methods,
             allow_credentials=settings.cors_credentials,
+            allow_headers=settings.cors_headers,
         ),
     ],
     health_check=health_check,
diff --git a/stac_fastapi/pgstac/config.py b/stac_fastapi/pgstac/config.py
index 15cc9f1..2710258 100644
--- a/stac_fastapi/pgstac/config.py
+++ b/stac_fastapi/pgstac/config.py
@@ -171,6 +171,7 @@ class Settings(ApiSettings):
     cors_origins: str = "*"
     cors_methods: str = "GET,POST,OPTIONS"
     cors_credentials: bool = False
+    cors_headers: str = "Content-Type"
 
     testing: bool = False
 
@@ -183,3 +184,8 @@ def parse_cors_origin(cls, v):
     def parse_cors_methods(cls, v):
         """Parse CORS methods."""
         return [method.strip() for method in v.split(",")]
+
+    @field_validator("cors_headers")
+    def parse_cors_headers(cls, v):
+        """Parse CORS headers."""
+        return [header.strip() for header in v.split(",")]