diff --git a/src/ServerlessOffline.js b/src/ServerlessOffline.js
index 4f4715deb..16f3f2457 100644
--- a/src/ServerlessOffline.js
+++ b/src/ServerlessOffline.js
@@ -236,12 +236,8 @@ export default class ServerlessOffline {
       .replace(/\s/g, '')
       .split(',')
 
-    if (this.#options.corsDisallowCredentials) {
-      this.#options.corsAllowCredentials = false
-    }
-
     this.#options.corsConfig = {
-      credentials: this.#options.corsAllowCredentials,
+      credentials: !this.#options.corsDisallowCredentials,
       exposedHeaders: this.#options.corsExposedHeaders,
       headers: this.#options.corsAllowHeaders,
       origin: this.#options.corsAllowOrigin,
diff --git a/src/config/defaultOptions.js b/src/config/defaultOptions.js
index 62ba0f10f..4de9e92d8 100644
--- a/src/config/defaultOptions.js
+++ b/src/config/defaultOptions.js
@@ -2,9 +2,9 @@ import { createApiKey } from '../utils/index.js'
 
 export default {
   apiKey: createApiKey(),
-  corsAllowCredentials: true, // TODO no CLI option
   corsAllowHeaders: 'accept,content-type,x-api-key,authorization',
   corsAllowOrigin: '*',
+  corsDisallowCredentials: true,
   corsExposedHeaders: 'WWW-Authenticate,Server-Authorization',
   disableCookieValidation: false,
   disableScheduledEvents: false,