diff --git a/opentdf-core-mode.yaml b/opentdf-core-mode.yaml
index 037b53494a..1ed7897a57 100644
--- a/opentdf-core-mode.yaml
+++ b/opentdf-core-mode.yaml
@@ -38,11 +38,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link
diff --git a/opentdf-dev.yaml b/opentdf-dev.yaml
index 2287f46634..4712457bbb 100644
--- a/opentdf-dev.yaml
+++ b/opentdf-dev.yaml
@@ -134,12 +134,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
-      - X-Request-ID
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link
diff --git a/opentdf-ers-mode.yaml b/opentdf-ers-mode.yaml
index a396b963a8..fce2e93961 100644
--- a/opentdf-ers-mode.yaml
+++ b/opentdf-ers-mode.yaml
@@ -75,12 +75,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
-      - X-Request-ID
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link
diff --git a/opentdf-example.yaml b/opentdf-example.yaml
index c110295121..a0b97da826 100644
--- a/opentdf-example.yaml
+++ b/opentdf-example.yaml
@@ -92,12 +92,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
-      - X-Request-ID
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link
diff --git a/opentdf-kas-mode.yaml b/opentdf-kas-mode.yaml
index cbfaee1f06..b6431b297e 100644
--- a/opentdf-kas-mode.yaml
+++ b/opentdf-kas-mode.yaml
@@ -88,12 +88,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
-      - X-Request-ID
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link
diff --git a/service/internal/server/server.go b/service/internal/server/server.go
index c38bd16846..5a82391da2 100644
--- a/service/internal/server/server.go
+++ b/service/internal/server/server.go
@@ -124,7 +124,7 @@ type CORSConfig struct {
 	Enabled          bool     `mapstructure:"enabled" json:"enabled" default:"true"`
 	AllowedOrigins   []string `mapstructure:"allowedorigins" json:"allowedorigins"`
 	AllowedMethods   []string `mapstructure:"allowedmethods" json:"allowedmethods" default:"[\"GET\",\"POST\",\"PATCH\",\"DELETE\",\"OPTIONS\"]"`
-	AllowedHeaders   []string `mapstructure:"allowedheaders" json:"allowedheaders" default:"[\"Accept\",\"Content-Type\",\"Content-Length\",\"Accept-Encoding\",\"X-CSRF-Token\",\"Authorization\",\"X-Requested-With\",\"Dpop\",\"Connect-Protocol-Version\"]"`
+	AllowedHeaders   []string `mapstructure:"allowedheaders" json:"allowedheaders" default:"[\"Accept\",\"Accept-Encoding\",\"Authorization\",\"Connect-Protocol-Version\",\"Content-Length\",\"Content-Type\",\"Dpop\",\"X-CSRF-Token\",\"X-Requested-With\",\"X-Rewrap-Additional-Context\"]"`
 	ExposedHeaders   []string `mapstructure:"exposedheaders" json:"exposedheaders"`
 	AllowCredentials bool     `mapstructure:"allowcredentials" json:"allowcredentials" default:"true"`
 	MaxAge           int      `mapstructure:"maxage" json:"maxage" default:"3600"`
diff --git a/service/pkg/server/testdata/all-no-config.yaml b/service/pkg/server/testdata/all-no-config.yaml
index 2970a6fa00..cdb3592cb6 100644
--- a/service/pkg/server/testdata/all-no-config.yaml
+++ b/service/pkg/server/testdata/all-no-config.yaml
@@ -81,12 +81,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
-      - X-Request-ID
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link