diff --git a/adapter/internal/oasparser/envoyconf/envoyconf_internal_test.go b/adapter/internal/oasparser/envoyconf/envoyconf_internal_test.go
index 2e8c4db188..a2531dd6d0 100644
--- a/adapter/internal/oasparser/envoyconf/envoyconf_internal_test.go
+++ b/adapter/internal/oasparser/envoyconf/envoyconf_internal_test.go
@@ -704,6 +704,8 @@ func TestGetCorsPolicy(t *testing.T) {
 	// Test configuration when all the fields are provided.
 	corsPolicy2 := getCorsPolicy(corsConfigModel2)
 	assert.NotNil(t, corsPolicy2, "Cors Policy should not be null.")
+	// To make sure that the allow headers in the config passed is not modified.
+	assert.Equal(t, 2, len(corsConfigModel2.AccessControlAllowHeaders), "Cors Config is modified which is not supposed to be modified.")
 	assert.NotEmpty(t, corsPolicy2.GetAllowOriginStringMatch(), "Cors Allowded Origins should not be null.")
 	assert.Equal(t, regexp.QuoteMeta("http://test.com"),
 		corsPolicy2.GetAllowOriginStringMatch()[0].GetSafeRegex().GetRegex(),
diff --git a/adapter/internal/oasparser/envoyconf/routes_with_clusters.go b/adapter/internal/oasparser/envoyconf/routes_with_clusters.go
index 9b67ac40e8..09c5cc813f 100644
--- a/adapter/internal/oasparser/envoyconf/routes_with_clusters.go
+++ b/adapter/internal/oasparser/envoyconf/routes_with_clusters.go
@@ -1454,10 +1454,11 @@ func getCorsPolicy(corsConfig *model.CorsConfig) *cors_filter_v3.CorsPolicy {
 	if corsConfig == nil || !corsConfig.Enabled {
 		return nil
 	}
+	var finalAccessControlAllowHeaders []string
 
 	conf, _ := config.ReadConfigs()
 	if len(conf.Envoy.Cors.MandatoryHeaders) > 0 {
-		corsConfig.AccessControlAllowHeaders = append(corsConfig.AccessControlAllowHeaders, conf.Envoy.Cors.MandatoryHeaders...)
+		finalAccessControlAllowHeaders = append(corsConfig.AccessControlAllowHeaders, conf.Envoy.Cors.MandatoryHeaders...)
 	}
 
 	stringMatcherArray := []*envoy_type_matcherv3.StringMatcher{}
@@ -1485,8 +1486,8 @@ func getCorsPolicy(corsConfig *model.CorsConfig) *cors_filter_v3.CorsPolicy {
 	if len(corsConfig.AccessControlAllowMethods) > 0 {
 		corsPolicy.AllowMethods = strings.Join(corsConfig.AccessControlAllowMethods, ", ")
 	}
-	if len(corsConfig.AccessControlAllowHeaders) > 0 {
-		corsPolicy.AllowHeaders = strings.Join(corsConfig.AccessControlAllowHeaders, ", ")
+	if len(finalAccessControlAllowHeaders) > 0 {
+		corsPolicy.AllowHeaders = strings.Join(finalAccessControlAllowHeaders, ", ")
 	}
 	if len(corsConfig.AccessControlExposeHeaders) > 0 {
 		corsPolicy.ExposeHeaders = strings.Join(corsConfig.AccessControlExposeHeaders, ", ")