diff --git a/modules/public/public.go b/modules/public/public.go
index e9b9f58ff22f2..abc6b46158027 100644
--- a/modules/public/public.go
+++ b/modules/public/public.go
@@ -33,7 +33,7 @@ func FileHandlerFunc() http.HandlerFunc {
 	assetFS := AssetFS()
 	return func(resp http.ResponseWriter, req *http.Request) {
 		if req.Method != "GET" && req.Method != "HEAD" {
-			resp.WriteHeader(http.StatusBadRequest)
+			resp.WriteHeader(http.StatusMethodNotAllowed)
 			return
 		}
 		handleRequest(resp, req, assetFS, req.URL.Path)
diff --git a/routers/web/web.go b/routers/web/web.go
index 0a6e7bc291cfe..d6c3ac19edfe6 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -79,11 +79,12 @@ func optionsCorsHandler() func(next http.Handler) http.Handler {
 				if corsHandler != nil && r.Header.Get("Access-Control-Request-Method") != "" {
 					corsHandler(next).ServeHTTP(w, r)
 				} else {
-					// it should explicitly deny OPTIONS requests if CORS is disabled, to avoid the following GET/POST handler to be called by the OPTIONS request
+					// it should explicitly deny OPTIONS requests if CORS handler is executed, to avoid the following GET/POST handler to be incorrectly called by the OPTIONS request
 					w.WriteHeader(http.StatusMethodNotAllowed)
 				}
 				return
 			}
+			// for non-OPTIONS requests, call the CORS handler to add some related headers like "Vary"
 			if corsHandler != nil {
 				corsHandler(next).ServeHTTP(w, r)
 			} else {