diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/cors/CorsHandler.java b/codec-http/src/main/java/io/netty/handler/codec/http/cors/CorsHandler.java
index 59dc22a728..5084465820 100644
--- a/codec-http/src/main/java/io/netty/handler/codec/http/cors/CorsHandler.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/http/cors/CorsHandler.java
@@ -40,6 +40,7 @@ import static io.netty.util.ReferenceCountUtil.*;
 public class CorsHandler extends ChannelDuplexHandler {
 
     private static final InternalLogger logger = InternalLoggerFactory.getInstance(CorsHandler.class);
+    private static final String ANY_ORIGIN = "*";
     private final CorsConfig config;
 
     private HttpRequest request;
@@ -140,7 +141,7 @@ public class CorsHandler extends ChannelDuplexHandler {
     }
 
     private static void setAnyOrigin(final HttpResponse response) {
-        setOrigin(response, "*");
+        setOrigin(response, ANY_ORIGIN);
     }
 
     private static void setOrigin(final HttpResponse response, final String origin) {
@@ -148,7 +149,8 @@ public class CorsHandler extends ChannelDuplexHandler {
     }
 
     private void setAllowCredentials(final HttpResponse response) {
-        if (config.isCredentialsAllowed()) {
+        if (config.isCredentialsAllowed()
+                && !response.headers().get(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN).equals(ANY_ORIGIN)) {
             response.headers().set(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
         }
     }
diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/cors/CorsHandlerTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/cors/CorsHandlerTest.java
index 524d764f4f..8734d13e88 100644
--- a/codec-http/src/test/java/io/netty/handler/codec/http/cors/CorsHandlerTest.java
+++ b/codec-http/src/test/java/io/netty/handler/codec/http/cors/CorsHandlerTest.java
@@ -163,9 +163,13 @@ public class CorsHandlerTest {
     @Test
     public void preflightRequestWithNullOrigin() {
         final String origin = "null";
-        final CorsConfig config = CorsConfig.withOrigin(origin).allowNullOrigin().build();
+        final CorsConfig config = CorsConfig.withOrigin(origin)
+                .allowNullOrigin()
+                .allowCredentials()
+                .build();
         final HttpResponse response = preflightRequest(config, origin, "content-type, xheader1");
         assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_ORIGIN), is(equalTo("*")));
+        assertThat(response.headers().get(ACCESS_CONTROL_ALLOW_CREDENTIALS), is(nullValue()));
     }
 
     @Test