diff --git a/kinto/core/utils.py b/kinto/core/utils.py
index b2e3c0680..5382ab06b 100644
--- a/kinto/core/utils.py
+++ b/kinto/core/utils.py
@@ -262,8 +262,9 @@ def reapply_cors(request, response):
             settings = request.registry.settings
             allowed_origins = set(aslist(settings["cors_origins"]))
             required_origins = {"*", origin}
+            matches = allowed_origins.intersection(required_origins)
             if allowed_origins.intersection(required_origins):
-                response.headers["Access-Control-Allow-Origin"] = origin
+                response.headers["Access-Control-Allow-Origin"] = matches.pop()
 
         # Import service here because kinto.core import utils
         from kinto.core import Service