diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 95098e6..cea7e32 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -8,7 +8,7 @@ jobs:
     timeout-minutes: 10
     strategy:
       matrix:
-        node-version: [20.x]
+        node-version: [24.x]
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js ${{ matrix.node-version }}
@@ -24,7 +24,7 @@ jobs:
     timeout-minutes: 10
     strategy:
       matrix:
-        node-version: [18.x, 20.x]
+        node-version: [22.x, 24.x]
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js ${{ matrix.node-version }}
@@ -45,7 +45,7 @@ jobs:
     timeout-minutes: 10
     strategy:
       matrix:
-        node-version: [20.x]
+        node-version: [24.x]
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js ${{ matrix.node-version }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 21b8add..f238bf1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # bedrock-express ChangeLog
 
+## 8.5.2 - 2025-12-dd
+
+### Fixed
+- Use `cors()` defaults when cors options are specified as `true` in the
+  bedrock configuration instead of as an object with granular options. It is
+  important that the defaults are used (which will use a wildcard, `*`, for
+  the `access-control-allow-origin` header) in this case and not just the
+  "origin" reflection mechanism both for security reasons (see CORS processing
+  rules for wildcards) and because some newer browsers do not send an `origin`
+  header in some circumstances.
+
 ## 8.5.1 - 2025-10-31
 
 ### Fixed
diff --git a/lib/index.js b/lib/index.js
index e7df4a2..8eb6c2a 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -216,10 +216,12 @@ bedrock.events.on('bedrock.start', async () => {
       }
       // setup cors
       let corsHandler = null;
-      if('cors' in cfg) {
-        if(typeof cfg.cors === 'boolean') {
-          // if boolean format and pass through
-          corsHandler = cors({origin: cfg.cors});
+      if(cfg.cors) {
+        if(cfg.cors === true) {
+          // if boolean format use defaults; using "*" is more secure than
+          // reflecting an origin (see CORS rules) and is what is expected; to
+          // reflect "origin" back, use an object with "{origin: true, ...}"
+          corsHandler = cors();
         } else {
           // if object, use as cors config
           corsHandler = cors(cfg.cors);