diff --git a/lib/core/opts.js b/lib/core/opts.js
index c0365ba8..ec1b2cbc 100644
--- a/lib/core/opts.js
+++ b/lib/core/opts.js
@@ -118,7 +118,7 @@ module.exports = (opts) => {
     });
 
     aliases.cors.forEach((k) => {
-      if (isDeclared(k) && k) {
+      if (isDeclared(k) && opts[k]) {
         handleOptionsMethod = true;
         headers['Access-Control-Allow-Origin'] = '*';
         headers['Access-Control-Allow-Headers'] = 'Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since';
diff --git a/test/cors.test.js b/test/cors.test.js
new file mode 100644
index 00000000..09db6cd7
--- /dev/null
+++ b/test/cors.test.js
@@ -0,0 +1,118 @@
+'use strict';
+
+const test = require('tap').test;
+const server = require('../lib/core');
+const http = require('http');
+const path = require('path');
+const request = require('request');
+
+const root = path.join(__dirname, 'public');
+
+test('cors defaults to false', (t) => {
+  t.plan(4);
+
+  const httpServer = http.createServer(
+    server({
+      root,
+      autoIndex: true,
+      defaultExt: 'html',
+    })
+  );
+
+  httpServer.listen(() => {
+    const port = httpServer.address().port;
+    const uri = `http://localhost:${port}/subdir/index.html`;
+
+    request.get({ uri }, (err, res) => {
+      t.ifError(err);
+      t.equal(res.statusCode, 200);
+      t.type(res.headers['access-control-allow-origin'], 'undefined');
+      t.type(res.headers['access-control-allow-headers'], 'undefined');
+    });
+  });
+  t.once('end', () => {
+    httpServer.close();
+  });
+});
+
+test('cors set to false', (t) => {
+  t.plan(4);
+
+  const httpServer = http.createServer(
+    server({
+      root,
+      cors: false,
+      autoIndex: true,
+      defaultExt: 'html',
+    })
+  );
+
+  httpServer.listen(() => {
+    const port = httpServer.address().port;
+    const uri = `http://localhost:${port}/subdir/index.html`;
+
+    request.get({ uri }, (err, res) => {
+      t.ifError(err);
+      t.equal(res.statusCode, 200);
+      t.type(res.headers['access-control-allow-origin'], 'undefined');
+      t.type(res.headers['access-control-allow-headers'], 'undefined');
+    });
+  });
+  t.once('end', () => {
+    httpServer.close();
+  });
+});
+
+test('cors set to true', (t) => {
+  t.plan(4);
+
+  const httpServer = http.createServer(
+    server({
+      root,
+      cors: true,
+      autoIndex: true,
+      defaultExt: 'html',
+    })
+  );
+
+  httpServer.listen(() => {
+    const port = httpServer.address().port;
+    const uri = `http://localhost:${port}/subdir/index.html`;
+    request.get({ uri }, (err, res) => {
+      t.ifError(err);
+      t.equal(res.statusCode, 200);
+      t.equal(res.headers['access-control-allow-origin'], '*');
+      t.equal(res.headers['access-control-allow-headers'], 'Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since');
+    });
+  });
+  t.once('end', () => {
+    httpServer.close();
+  });
+});
+
+test('CORS set to true', (t) => {
+  t.plan(4);
+
+  const httpServer = http.createServer(
+    server({
+      root,
+      CORS: true,
+      autoIndex: true,
+      defaultExt: 'html',
+    })
+  );
+
+  httpServer.listen(() => {
+    const port = httpServer.address().port;
+    const uri = `http://localhost:${port}/subdir/index.html`;
+    request.get({ uri }, (err, res) => {
+      t.ifError(err);
+      t.equal(res.statusCode, 200);
+      t.equal(res.headers['access-control-allow-origin'], '*');
+      t.equal(res.headers['access-control-allow-headers'], 'Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since');
+    });
+  });
+  t.once('end', () => {
+    httpServer.close();
+  });
+});