diff --git a/http/cors.go b/http/cors.go
index a01228be2d..9e8b6fa195 100644
--- a/http/cors.go
+++ b/http/cors.go
@@ -22,13 +22,18 @@ func wrapCORSHandler(h http.Handler, core *vault.Core) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		corsConf := core.CORSConfig()
 
-		origin := req.Header.Get("Origin")
-		requestMethod := req.Header.Get("Access-Control-Request-Method")
-
 		// If CORS is not enabled or if no Origin header is present (i.e. the request
 		// is from the Vault CLI. A browser will always send an Origin header), then
 		// just return a 204.
-		if !corsConf.IsEnabled() || origin == "" {
+		if !corsConf.IsEnabled() {
+			h.ServeHTTP(w, req)
+			return
+		}
+
+		origin := req.Header.Get("Origin")
+		requestMethod := req.Header.Get("Access-Control-Request-Method")
+
+		if origin == "" {
 			h.ServeHTTP(w, req)
 			return
 		}
diff --git a/vault/core.go b/vault/core.go
index 0e38b7a6d2..51075ae3e9 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -517,7 +517,10 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 	}
 
 	// Load CORS config and provide a value for the core field.
-	c.corsConfig = &CORSConfig{core: c}
+	c.corsConfig = &CORSConfig{
+		core:    c,
+		Enabled: new(uint32),
+	}
 
 	phys := conf.Physical
 	_, txnOK := conf.Physical.(physical.Transactional)
diff --git a/vault/cors.go b/vault/cors.go
index db2dd855b7..c389a6e6d2 100644
--- a/vault/cors.go
+++ b/vault/cors.go
@@ -79,6 +79,11 @@ func (c *Core) loadCORSConfig(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
+
+	if newConfig.Enabled == nil {
+		newConfig.Enabled = new(uint32)
+	}
+
 	newConfig.core = c
 
 	c.corsConfig = newConfig