diff --git a/src/envoy/http/jwt_auth/jwt_authenticator.cc b/src/envoy/http/jwt_auth/jwt_authenticator.cc
index e5605ac89d2..e039f2d0b6c 100644
--- a/src/envoy/http/jwt_auth/jwt_authenticator.cc
+++ b/src/envoy/http/jwt_auth/jwt_authenticator.cc
@@ -62,8 +62,18 @@ void JwtAuthenticator::Verify(HeaderMap &headers,
   // Per the spec
   // http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0, CORS
   // pre-flight requests shouldn't include user credentials.
-  if (headers_->Method() && Http::Headers::get().MethodValues.Options ==
-                                headers_->Method()->value().c_str()) {
+  // From
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers:
+  // "... This header is required if the request has an
+  // Access-Control-Request-Headers header.", which indicates that
+  // Access-Control-Request-Headers header may not always be present in a CORS
+  // request.
+  if (headers.Method() &&
+      Http::Headers::get().MethodValues.Options ==
+          headers.Method()->value().c_str() &&
+      headers.Origin() && !headers.Origin()->value().empty() &&
+      headers.AccessControlRequestMethod() &&
+      !headers.AccessControlRequestMethod()->value().empty()) {
     ENVOY_LOG(debug, "CORS preflight request is passed through.");
     DoneWithStatus(Status::OK);
     return;
diff --git a/src/envoy/http/jwt_auth/jwt_authenticator_test.cc b/src/envoy/http/jwt_auth/jwt_authenticator_test.cc
index 50d2f3546fb..eaa2b285803 100644
--- a/src/envoy/http/jwt_auth/jwt_authenticator_test.cc
+++ b/src/envoy/http/jwt_auth/jwt_authenticator_test.cc
@@ -539,7 +539,10 @@ TEST_F(JwtAuthenticatorTest, TestMissingJwtWhenHttpMethodIsCORS) {
   }));
 
   auto cors_headers =
-      TestHeaderMapImpl{{":method", "OPTIONS"}, {":path", "/any/cors-path"}};
+      TestHeaderMapImpl{{":method", "OPTIONS"},
+                        {"origin", "test-origin"},
+                        {"access-control-request-method", "GET"},
+                        {":path", "/any/cors-path"}};
   auth_->Verify(cors_headers, &mock_cb_);
 }
 
@@ -552,9 +555,12 @@ TEST_F(JwtAuthenticatorTest, TestInvalidJWTWhenHttpMethodIsCORS) {
   }));
 
   std::string token = "invalidToken";
-  auto cors_headers = TestHeaderMapImpl{{":method", "OPTIONS"},
-                                        {":path", "/any/cors-path"},
-                                        {"Authorization", "Bearer " + token}};
+  auto cors_headers =
+      TestHeaderMapImpl{{":method", "OPTIONS"},
+                        {"origin", "test-origin"},
+                        {"access-control-request-method", "GET"},
+                        {":path", "/any/cors-path"},
+                        {"Authorization", "Bearer " + token}};
   auth_->Verify(cors_headers, &mock_cb_);
 }