diff --git a/cors.go b/cors.go
index eeff6ad..5681700 100644
--- a/cors.go
+++ b/cors.go
@@ -64,10 +64,11 @@ func (s *withCORS) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		r.Header.Get("Access-Control-Request-Method") != "" &&
 		r.Header.Get("Origin") != ""
 
+	if s.origin != "" {
+		w.Header().Set("Access-Control-Allow-Origin", s.origin)
+	}
+
 	if isPreflight {
-		if s.origin != "" {
-			w.Header().Set("Access-Control-Allow-Origin", s.origin)
-		}
 		if s.methods != "" {
 			w.Header().Set("Access-Control-Allow-Methods", s.methods)
 		}
diff --git a/cors_test.go b/cors_test.go
index ef037a4..323eef7 100644
--- a/cors_test.go
+++ b/cors_test.go
@@ -52,8 +52,8 @@ func TestWrapInsecureCORSGetRequest(t *testing.T) {
 	}
 
 	headers := resp.Header()
-	if _, ok := headers["Access-Control-Allow-Origin"]; ok {
-		t.Errorf("expected no Access-Control-Allow-Origin header")
+	if headers.Get("Access-Control-Allow-Origin") != "*" {
+		t.Errorf("Expected Access-Control-Allow-Origin: *; got %v", headers.Get("Access-Control-Allow-Origin"))
 	}
 	if _, ok := headers["Access-Control-Allow-Methods"]; ok {
 		t.Errorf("expected no Access-Control-Allow-Methods header")