diff --git a/system/Filters/Cors.php b/system/Filters/Cors.php
index cb0e09c138ea..3ed2d7d1c66e 100644
--- a/system/Filters/Cors.php
+++ b/system/Filters/Cors.php
@@ -61,16 +61,24 @@ public function before(RequestInterface $request, $arguments = null)
         /** @var ResponseInterface $response */
         $response = service('response');
 
-        if ($request->is('OPTIONS')) {
+        if ($this->cors->isPreflightRequest($request)) {
+            $response = $this->cors->handlePreflightRequest($request, $response);
+
             // Always adds `Vary: Access-Control-Request-Method` header for cacheability.
             // If there is an intermediate cache server such as a CDN, if a plain
             // OPTIONS request is sent, it may be cached. But valid preflight requests
             // have this header, so it will be cached separately.
             $response->appendHeader('Vary', 'Access-Control-Request-Method');
+
+            return $response;
         }
 
-        if ($this->cors->isPreflightRequest($request)) {
-            return $this->cors->handlePreflightRequest($request, $response);
+        if ($request->is('OPTIONS')) {
+            // Always adds `Vary: Access-Control-Request-Method` header for cacheability.
+            // If there is an intermediate cache server such as a CDN, if a plain
+            // OPTIONS request is sent, it may be cached. But valid preflight requests
+            // have this header, so it will be cached separately.
+            $response->appendHeader('Vary', 'Access-Control-Request-Method');
         }
 
         $this->cors->addResponseHeaders($request, $response);