diff --git a/src/cors.spec.ts b/src/cors.spec.ts
index 8eda13f..934884c 100644
--- a/src/cors.spec.ts
+++ b/src/cors.spec.ts
@@ -198,7 +198,6 @@ describe('cors(options?: CorsOptions)', () => {
         const response = corsify(new Response(null))
         const response2 = corsify(new Response(null), BASIC_REQUEST)
         expect(response.headers.get('access-control-allow-origin')).toBe('*')
-        expect(response.headers.get('access-control-allow-methods')).toBe('*')
         expect(response2.headers.get('access-control-allow-origin')).toBe('*')
       })
 
@@ -234,6 +233,21 @@ describe('cors(options?: CorsOptions)', () => {
         expect(response2.headers.get('access-control-allow-origin')).toBe(TEST_ORIGIN)
       })
 
+      it('will not NOT include preflight headers', async () => {
+        const { corsify } = cors({
+          allowHeaders: 'foo',
+          allowMethods: 'GET',
+          exposeHeaders: 'foo',
+          maxAge: 3600,
+        })
+        const corsified = corsify(new Response(null))
+
+        expect(corsified.headers.get('access-control-allow-methods')).toBeNull()
+        expect(corsified.headers.get('access-control-allow-headers')).toBeNull()
+        expect(corsified.headers.get('access-control-expose-headers')).toBeNull()
+        expect(corsified.headers.get('access-control-max-age')).toBeNull()
+      })
+
       it('will safely preserve multiple cookies (or other identical header names)', async () => {
         const { corsify } = cors()
         const response = new Response(null)
diff --git a/src/cors.ts b/src/cors.ts
index 479078b..4559562 100644
--- a/src/cors.ts
+++ b/src/cors.ts
@@ -29,16 +29,6 @@ export const cors = (options: CorsOptions = {}) => {
     maxAge,
   } = options
 
-  // create generic CORS headers
-  const corsHeaders = {
-    // @ts-expect-error
-    'access-control-expose-headers': exposeHeaders?.join?.(',') ?? exposeHeaders, // include allowed headers
-    // @ts-expect-error
-    'access-control-allow-methods': allowMethods?.join?.(',') ?? allowMethods,  // include allowed methods
-    'access-control-max-age': maxAge,
-    'access-control-allow-credentials': credentials,
-  }
-
   const getAccessControlOrigin = (request?: Request): string => {
     const requestOrigin = request?.headers.get('origin') // may be null if no request passed
 
@@ -70,8 +60,13 @@ export const cors = (options: CorsOptions = {}) => {
 
       return appendHeadersAndReturn(response, {
         'access-control-allow-origin': getAccessControlOrigin(request),
+        // @ts-ignore
+        'access-control-allow-methods': allowMethods?.join?.(',') ?? allowMethods,  // include allowed methods
+        // @ts-ignore
+        'access-control-expose-headers': exposeHeaders?.join?.(',') ?? exposeHeaders, // include allowed headers
         'access-control-allow-headers': allowHeaders?.join?.(',') ?? allowHeaders ?? request.headers.get('access-control-request-headers'), // include allowed headers
-        ...corsHeaders,
+        'access-control-max-age': maxAge,
+        'access-control-allow-credentials': credentials,
       })
     } // otherwise ignore
   }
@@ -88,7 +83,7 @@ export const cors = (options: CorsOptions = {}) => {
 
     return appendHeadersAndReturn(response, {
       'access-control-allow-origin': getAccessControlOrigin(request),
-      ...corsHeaders
+      'access-control-allow-credentials': credentials,
     })
   }