diff --git a/cfg/vhost-gen/apache22.yml-example-rproxy b/cfg/vhost-gen/apache22.yml-example-rproxy
index 345f77a8..c947b096 100644
--- a/cfg/vhost-gen/apache22.yml-example-rproxy
+++ b/cfg/vhost-gen/apache22.yml-example-rproxy
@@ -134,13 +134,16 @@ features:
         Allow from all
     </Location>
 
+  # https://stackoverflow.com/a/42558499
+  # https://fetch.spec.whatwg.org/#forbidden-header-name
   xdomain_request: |
     # Allow cross domain request from these hosts
     SetEnvIf Origin "__REGEX__" AccessControlAllowOrigin=$0
-    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
-    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
+    Header always set Access-Control-Allow-Origin   %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
+    Header always set Access-Control-Allow-Methods  "HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS"
+    Header always set Access-Control-Allow-Headers  "Accept, Authorization, Content-Security-Policy, Content-Type, Location, Origin, X-Requested-With"
+    Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
     Header always set Access-Control-Max-Age "0"
-    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
     # Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
     RewriteEngine On
     RewriteCond %{REQUEST_METHOD} OPTIONS
diff --git a/cfg/vhost-gen/apache22.yml-example-vhost b/cfg/vhost-gen/apache22.yml-example-vhost
index 2ed7c9a4..ca65395c 100644
--- a/cfg/vhost-gen/apache22.yml-example-vhost
+++ b/cfg/vhost-gen/apache22.yml-example-vhost
@@ -181,13 +181,16 @@ features:
         Allow from all
     </Location>
 
+  # https://stackoverflow.com/a/42558499
+  # https://fetch.spec.whatwg.org/#forbidden-header-name
   xdomain_request: |
     # Allow cross domain request from these hosts
     SetEnvIf Origin "__REGEX__" AccessControlAllowOrigin=$0
-    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
-    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
+    Header always set Access-Control-Allow-Origin   %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
+    Header always set Access-Control-Allow-Methods  "HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS"
+    Header always set Access-Control-Allow-Headers  "Accept, Authorization, Content-Security-Policy, Content-Type, Location, Origin, X-Requested-With"
+    Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
     Header always set Access-Control-Max-Age "0"
-    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
     # Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
     RewriteEngine On
     RewriteCond %{REQUEST_METHOD} OPTIONS
diff --git a/cfg/vhost-gen/apache24.yml-example-rproxy b/cfg/vhost-gen/apache24.yml-example-rproxy
index a3b566be..77c9882c 100644
--- a/cfg/vhost-gen/apache24.yml-example-rproxy
+++ b/cfg/vhost-gen/apache24.yml-example-rproxy
@@ -137,13 +137,16 @@ features:
         Require all granted
     </Location>
 
+  # https://stackoverflow.com/a/42558499
+  # https://fetch.spec.whatwg.org/#forbidden-header-name
   xdomain_request: |
     # Allow cross domain request from these hosts
     SetEnvIf Origin "__REGEX__" AccessControlAllowOrigin=$0
-    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
-    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
+    Header always set Access-Control-Allow-Origin   %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
+    Header always set Access-Control-Allow-Methods  "HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS"
+    Header always set Access-Control-Allow-Headers  "Accept, Authorization, Content-Security-Policy, Content-Type, Location, Origin, X-Requested-With"
+    Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
     Header always set Access-Control-Max-Age "0"
-    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
     # Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
     RewriteEngine On
     RewriteCond %{REQUEST_METHOD} OPTIONS
diff --git a/cfg/vhost-gen/apache24.yml-example-vhost b/cfg/vhost-gen/apache24.yml-example-vhost
index 5287dfba..c58eacf9 100644
--- a/cfg/vhost-gen/apache24.yml-example-vhost
+++ b/cfg/vhost-gen/apache24.yml-example-vhost
@@ -206,13 +206,16 @@ features:
         Require all granted
     </Location>
 
+  # https://stackoverflow.com/a/42558499
+  # https://fetch.spec.whatwg.org/#forbidden-header-name
   xdomain_request: |
     # Allow cross domain request from these hosts
     SetEnvIf Origin "__REGEX__" AccessControlAllowOrigin=$0
-    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
-    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
+    Header always set Access-Control-Allow-Origin   %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
+    Header always set Access-Control-Allow-Methods  "HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS"
+    Header always set Access-Control-Allow-Headers  "Accept, Authorization, Content-Security-Policy, Content-Type, Location, Origin, X-Requested-With"
+    Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
     Header always set Access-Control-Max-Age "0"
-    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
     # Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
     RewriteEngine On
     RewriteCond %{REQUEST_METHOD} OPTIONS
diff --git a/cfg/vhost-gen/nginx.yml-example-rproxy b/cfg/vhost-gen/nginx.yml-example-rproxy
index 6d983509..c7bea226 100644
--- a/cfg/vhost-gen/nginx.yml-example-rproxy
+++ b/cfg/vhost-gen/nginx.yml-example-rproxy
@@ -114,11 +114,12 @@ features:
 
   xdomain_request: |
     # Allow cross domain request from these hosts
+    # https://fetch.spec.whatwg.org/#forbidden-header-name
     if ( $http_origin ~* (__REGEX__) ) {
-        add_header "Access-Control-Allow-Origin" "$http_origin";
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
-        add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+        add_header "Access-Control-Allow-Origin"   "$http_origin";
+        add_header 'Access-Control-Allow-Methods'  'HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS';
+        add_header 'Access-Control-Allow-Headers'  'Accept, Authorization, Content-Security-Policy, Content-Type, Location, Origin, X-Requested-With';
+        add_header 'Access-Control-Expose-Headers' 'Content-Security-Policy, Location';
         add_header 'Access-Control-Max-Age' 0;
         return 200;
     }
diff --git a/cfg/vhost-gen/nginx.yml-example-vhost b/cfg/vhost-gen/nginx.yml-example-vhost
index 555864df..5d0de860 100644
--- a/cfg/vhost-gen/nginx.yml-example-vhost
+++ b/cfg/vhost-gen/nginx.yml-example-vhost
@@ -166,11 +166,12 @@ features:
 
   xdomain_request: |
     # Allow cross domain request from these hosts
+    # https://fetch.spec.whatwg.org/#forbidden-header-name
     if ( $http_origin ~* (__REGEX__) ) {
-        add_header "Access-Control-Allow-Origin" "$http_origin";
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
-        add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+        add_header "Access-Control-Allow-Origin"   "$http_origin";
+        add_header 'Access-Control-Allow-Methods'  'HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS';
+        add_header 'Access-Control-Allow-Headers'  'Accept, Authorization, Content-Security-Policy, Content-Type, Location, Origin, X-Requested-With';
+        add_header 'Access-Control-Expose-Headers' 'Content-Security-Policy, Location';
         add_header 'Access-Control-Max-Age' 0;
         return 200;
     }
diff --git a/docker-compose.yml b/docker-compose.yml
index c6e6e68f..b42b103c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -227,7 +227,7 @@ services:
   # Web Server
   # ------------------------------------------------------------
   httpd:
-    image: devilbox/${HTTPD_SERVER}:${HTTPD_FLAVOUR:-alpine}-1.0-beta2
+    image: devilbox/${HTTPD_SERVER}:${HTTPD_FLAVOUR:-alpine}-1.0
     hostname: httpd
 
     environment: