diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 92d2c9706..3ace12bc3 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -1268,6 +1268,10 @@ stream {
             deny all;
             {{ end }}
 
+            {{ if $location.CorsConfig.CorsEnabled }}
+            {{ template "CORS" $location }}
+            {{ end }}
+
             {{ if not (isLocationInLocationList $location $all.Cfg.NoAuthLocations) }}
             {{ if $authPath }}
             # this location requires authentication
@@ -1329,10 +1333,6 @@ stream {
             {{ range $limit := $limits }}
             {{ $limit }}{{ end }}
 
-            {{ if $location.CorsConfig.CorsEnabled }}
-            {{ template "CORS" $location }}
-            {{ end }}
-
             {{ buildInfluxDB $location.InfluxDB }}
 
             {{ if isValidByteSize $location.Proxy.BodySize true }}
diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go
index 7da2ef7d9..1f0f4c3b2 100644
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@@ -141,6 +141,34 @@ var _ = framework.DescribeAnnotation("auth-*", func() {
 			Body().Contains("401 Authorization Required")
 	})
 
+	ginkgo.It("should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured", func() {
+		host := "auth"
+
+		s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace))
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/auth-type":   "basic",
+			"nginx.ingress.kubernetes.io/auth-secret": s.Name,
+			"nginx.ingress.kubernetes.io/auth-realm":  "test auth",
+			"nginx.ingress.kubernetes.io/enable-cors": "true",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "server_name auth")
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusUnauthorized).
+			Header("Access-Control-Allow-Origin").Equal("*")
+	})
+
 	ginkgo.It("should return status code 200 when authentication is configured and Authorization header is sent", func() {
 		host := "auth"