diff --git a/config/initializers/08-rack-cors.rb b/config/initializers/08-rack-cors.rb
index 8ed2a38e9..83f77d44c 100644
--- a/config/initializers/08-rack-cors.rb
+++ b/config/initializers/08-rack-cors.rb
@@ -29,7 +29,8 @@ if GlobalSetting.enable_cors
         end
 
         headers['Access-Control-Allow-Origin'] = origin || cors_origins[0]
-        headers['Access-Control-Allow-Credentials'] = "true"
+        headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-CSRF-Token'
+        headers['Access-Control-Allow-Credentials'] = 'true'
       end
 
       headers