diff --git a/Dockerfile b/Dockerfile
index 0eb3da4..c6b46d8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,6 +5,7 @@ ARG CORS_ENABLED=false
 ARG CORS_ALLOWED_ORIGINS=*
 ARG CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,HEAD,OPTIONS
 ARG CORS_ALLOWED_HEADERS=*
+ARG CORS_ALLOW_CREDENTIALS=false
 
 # Environment variables
 ENV CATALINA_HOME=/opt/apache-tomcat-${TOMCAT_VERSION}
@@ -13,6 +14,7 @@ ENV CORS_ENABLED=$CORS_ENABLED
 ENV CORS_ALLOWED_ORIGINS=$CORS_ALLOWED_ORIGINS
 ENV CORS_ALLOWED_METHODS=$CORS_ALLOWED_METHODS
 ENV CORS_ALLOWED_HEADERS=$CORS_ALLOWED_HEADERS
+ENV CORS_ALLOW_CREDENTIALS=$CORS_ALLOW_CREDENTIALS
 ENV DEBIAN_FRONTEND=noninteractive
 
 # see https://docs.geoserver.org/stable/en/user/production/container.html
diff --git a/README.md b/README.md
index e1fd466..950f62a 100644
--- a/README.md
+++ b/README.md
@@ -76,7 +76,12 @@ The ``startup.sh`` script allows some customization on startup:
 
 * ``INSTALL_EXTENSIONS`` to ``true`` to download and install extensions
 * ``STABLE_EXTENSIONS`` list of extensions to download and install
-* ``CORS_ENABLED``
+* ``CORS_ENABLED`` to ``true`` to enable CORS support. The following environment variables can be used to customize the CORS configuration.
+  * ``CORS_ALLOWED_ORIGINS`` (default ``*``)
+  * ``CORS_ALLOWED_METHODS`` (default ``GET,POST,PUT,DELETE,HEAD,OPTIONS``)
+  * ``CORS_ALLOWED_HEADERS`` (default ``*``)
+  * ``CORS_ALLOW_CREDENTIALS`` (default ``false``) **Setting this to ``true`` will only have the desired effect if ``CORS_ALLOWED_ORIGINS`` defines explicit origins (not ``*``)**
+* ``PROXY_BASE_URL`` to the base URL of the GeoServer web app if GeoServer is behind a proxy. Example: ``https://example.com/geoserver``.
 
 Example installing wps and ysld extensions:
 
diff --git a/startup.sh b/startup.sh
index 7877831..7f008b7 100755
--- a/startup.sh
+++ b/startup.sh
@@ -54,6 +54,14 @@ fi
 if [ "${CORS_ENABLED}" = "true" ]; then
   if ! grep -q DockerGeoServerCorsFilter "$CATALINA_HOME/webapps/geoserver/WEB-INF/web.xml"; then
     echo "Enable CORS for $CATALINA_HOME/webapps/geoserver/WEB-INF/web.xml"
+
+    # Add support for access-control-allow-credentials when the origin is not a wildcard when specified via env var
+    if [ "${CORS_ALLOWED_ORIGINS}" != "*" ] && [ "${CORS_ALLOW_CREDENTIALS}" = "true" ]; then
+      CORS_ALLOW_CREDENTIALS="true"
+    else
+      CORS_ALLOW_CREDENTIALS="false"
+    fi
+
     sed -i "\:</web-app>:i\\
     <filter>\n\
       <filter-name>DockerGeoServerCorsFilter</filter-name>\n\
@@ -70,6 +78,10 @@ if [ "${CORS_ENABLED}" = "true" ]; then
         <param-name>cors.allowed.headers</param-name>\n\
         <param-value>${CORS_ALLOWED_HEADERS}</param-value>\n\
       </init-param>\n\
+      <init-param>\n\
+        <param-name>cors.support.credentials</param-name>\n\
+        <param-value>${CORS_ALLOW_CREDENTIALS}</param-value>\n\
+      </init-param>\n\
     </filter>\n\
     <filter-mapping>\n\
       <filter-name>DockerGeoServerCorsFilter</filter-name>\n\