diff --git a/demo/payload.config.ts b/demo/payload.config.ts
index 64af31a6b9..e5a97ace83 100644
--- a/demo/payload.config.ts
+++ b/demo/payload.config.ts
@@ -122,16 +122,16 @@ export default buildConfig({
     NavigationArray,
     GlobalWithStrictAccess,
   ],
-  cors: [
-    'http://localhost',
-    'http://localhost:3000',
-    'http://localhost:8080',
-    'http://localhost:8081',
-  ],
-  csrf: [
-    'http://localhost:3000',
-    'https://other-app-here.com',
-  ],
+  // cors: [
+  //   'http://localhost',
+  //   'http://localhost:3000',
+  //   'http://localhost:8080',
+  //   'http://localhost:8081',
+  // ],
+  // csrf: [
+  //   'http://localhost:3000',
+  //   'https://other-app-here.com',
+  // ],
   routes: {
     api: '/api',
     admin: '/admin',
diff --git a/src/auth/getExtractJWT.ts b/src/auth/getExtractJWT.ts
index 6ad091c6d6..743b7f0f5b 100644
--- a/src/auth/getExtractJWT.ts
+++ b/src/auth/getExtractJWT.ts
@@ -15,7 +15,7 @@ const getExtractJWT = (config: SanitizedConfig) => (req: Request): string | null
     const tokenCookieName = `${config.cookiePrefix}-token`;
 
     if (cookies && cookies[tokenCookieName]) {
-      if (!origin || (config.csrf && config.csrf.indexOf(origin) > -1)) {
+      if (!origin || config.csrf.length === 0 || config.csrf.indexOf(origin) > -1) {
         return cookies[tokenCookieName];
       }
     }
diff --git a/src/config/sanitize.ts b/src/config/sanitize.ts
index 6854220b67..624d52e4a4 100644
--- a/src/config/sanitize.ts
+++ b/src/config/sanitize.ts
@@ -25,10 +25,9 @@ const sanitizeConfig = (config: Config): SanitizedConfig => {
     sanitizedConfig.globals = sanitizeGlobals(sanitizedConfig.collections, sanitizedConfig.globals);
   }
 
-  sanitizedConfig.csrf = [
-    ...sanitizedConfig.csrf,
-    config.serverURL,
-  ];
+  if (sanitizedConfig.serverURL !== '') {
+    sanitizedConfig.csrf.push(sanitizedConfig.serverURL);
+  }
 
   return sanitizedConfig as SanitizedConfig;
 };