diff --git a/playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2 b/playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
index 8c693f4f9ca..fd3f99f5027 100644
--- a/playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
+++ b/playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
@@ -1,6 +1,10 @@
     if ($request_method = 'OPTIONS') {
         add_header 'Access-Control-Allow-Origin' $cors_origin;
         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+        {# Leaving USE-JWT-COOKIE header in place, even though this could possibly be
+           cleaned up. We don't want to chance breaking ecommerce. Most backends
+           are using edx-drf-extensions>=10.2.0, and no longer use this header.
+        #}
         add_header 'Access-Control-Allow-Headers' 'Authorization, USE-JWT-COOKIE';
         {% if edx_django_service_allow_cors_credentials %}
             add_header 'Access-Control-Allow-Credentials' true;
diff --git a/playbooks/roles/edx_django_service_with_rendered_config/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2 b/playbooks/roles/edx_django_service_with_rendered_config/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
index fa96d4d179f..d98ff77815b 100644
--- a/playbooks/roles/edx_django_service_with_rendered_config/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
+++ b/playbooks/roles/edx_django_service_with_rendered_config/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
@@ -1,6 +1,10 @@
     if ($request_method = 'OPTIONS') {
         add_header 'Access-Control-Allow-Origin' $cors_origin;
         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+        {# Leaving USE-JWT-COOKIE header in place, even though this could possibly be
+           cleaned up. We don't want to chance breaking ecommerce. Most backends
+           are using edx-drf-extensions>=10.2.0, and no longer use this header.
+        #}
         add_header 'Access-Control-Allow-Headers' 'Authorization, USE-JWT-COOKIE';
         {% if edx_django_service_with_rendered_config_allow_cors_credentials %}
             add_header 'Access-Control-Allow-Credentials' true;