ktorio · Hasan mohamed (HMH-3080) · May 18, 2026 · May 19, 2026 · May 19, 2026 · Bruce Hamilton (bjhham)
diff --git a/...erver/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORS.kt b/...erver/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORS.kt
@@ -54,10 +54,7 @@ internal fun PluginBuilder<CORSConfig>.buildPlugin() {
     val allowNonSimpleContentTypes: Boolean = pluginConfig.allowNonSimpleContentTypes
     val headersList = pluginConfig.headers.filterNot { it in CORSConfig.CorsSimpleRequestHeaders }
         .let { if (allowNonSimpleContentTypes) it + HttpHeaders.ContentType else it }
-    val methodsListHeaderValue = methods.filterNot { it in CORSConfig.CorsDefaultMethods }
-        .map { it.value }
-        .sorted()
-        .joinToString(", ")
+    val methodsListHeaderValue = methods.map { it.value }.sorted().joinToString(", ")
     val maxAgeHeaderValue = pluginConfig.maxAgeInSeconds.let { if (it > 0) it.toString() else null }
     val exposedHeaders = when {
         pluginConfig.exposedHeaders.isNotEmpty() -> pluginConfig.exposedHeaders.sorted().joinToString(", ")

diff --git a/ktor-server/ktor-server-tests/common/test/io/ktor/tests/server/plugins/CORSTest.kt b/ktor-server/ktor-server-tests/common/test/io/ktor/tests/server/plugins/CORSTest.kt
@@ -1592,4 +1592,32 @@ class CORSTest {
             assertEquals(response.status, HttpStatusCode.Forbidden)
         }
     }
+
+    @Test
+    fun testDefaultMethodsIncludedInAllowMethodsHeader() = testApplication {
+        install(CORS) {
+            allowMethod(HttpMethod.Post)
+            anyHost()
+        }
+
+        routing {
+            post("/") {
+                call.respond("OK")
+            }
+        }
+
+        val response = client.options("/") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "POST")
+        }
+
+        assertEquals(HttpStatusCode.OK, response.status)
+        val allowMethodsHeader = response.headers[HttpHeaders.AccessControlAllowMethods]
+
+        assertNotNull(allowMethodsHeader, "Access-Control-Allow-Methods header should not be null")
+        assertTrue(
+            allowMethodsHeader.contains("POST"),
+            "Expected Access-Control-Allow-Methods to include POST, but got: $allowMethodsHeader"
+        )
+    }
 }