diff --git a/services/frontend/pkg/config/defaults/defaultconfig.go b/services/frontend/pkg/config/defaults/defaultconfig.go
index 81eb49b7f8..c984e469d8 100644
--- a/services/frontend/pkg/config/defaults/defaultconfig.go
+++ b/services/frontend/pkg/config/defaults/defaultconfig.go
@@ -185,8 +185,8 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
 	}
 
-	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
-		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") && (cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
 		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
 	}
 }
diff --git a/services/invitations/pkg/config/defaults/defaultconfig.go b/services/invitations/pkg/config/defaults/defaultconfig.go
index 815491ca91..8eb09dc012 100644
--- a/services/invitations/pkg/config/defaults/defaultconfig.go
+++ b/services/invitations/pkg/config/defaults/defaultconfig.go
@@ -78,8 +78,8 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.TokenManager = &config.TokenManager{}
 	}
 
-	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
-		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") && (cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
 		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
 	}
 }
diff --git a/services/ocdav/pkg/config/defaults/defaultconfig.go b/services/ocdav/pkg/config/defaults/defaultconfig.go
index 61122d5656..535ed3e0a7 100644
--- a/services/ocdav/pkg/config/defaults/defaultconfig.go
+++ b/services/ocdav/pkg/config/defaults/defaultconfig.go
@@ -138,8 +138,8 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
 	}
 
-	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
-		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") && (cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
 		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
 	}
 }
diff --git a/services/ocm/pkg/config/defaults/defaultconfig.go b/services/ocm/pkg/config/defaults/defaultconfig.go
index e2fc0ef4af..1b7b346f0d 100644
--- a/services/ocm/pkg/config/defaults/defaultconfig.go
+++ b/services/ocm/pkg/config/defaults/defaultconfig.go
@@ -166,8 +166,8 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.GRPC.TLS = structs.CopyOrZeroValue(cfg.Commons.GRPCServiceTLS)
 	}
 
-	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
-		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") && (cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
 		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
 	}
 }
diff --git a/services/storage-users/pkg/config/defaults/defaultconfig.go b/services/storage-users/pkg/config/defaults/defaultconfig.go
index 85c3406352..a08134ec3a 100644
--- a/services/storage-users/pkg/config/defaults/defaultconfig.go
+++ b/services/storage-users/pkg/config/defaults/defaultconfig.go
@@ -209,8 +209,8 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.Tasks.PurgeTrashBin.UserID = cfg.Commons.AdminUserID
 	}
 
-	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
-		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") && (cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
 		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
 	}
 }
diff --git a/services/web/pkg/config/defaults/defaultconfig.go b/services/web/pkg/config/defaults/defaultconfig.go
index 2bc6d8ee2c..ebf9bad926 100644
--- a/services/web/pkg/config/defaults/defaultconfig.go
+++ b/services/web/pkg/config/defaults/defaultconfig.go
@@ -174,8 +174,8 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.HTTP.TLS = cfg.Commons.HTTPServiceTLS
 	}
 
-	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
-		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") && (cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
 		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
 	}
 }
diff --git a/services/webfinger/pkg/config/defaults/defaultconfig.go b/services/webfinger/pkg/config/defaults/defaultconfig.go
index 8a0794edbe..53b2b8467b 100644
--- a/services/webfinger/pkg/config/defaults/defaultconfig.go
+++ b/services/webfinger/pkg/config/defaults/defaultconfig.go
@@ -83,8 +83,8 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.HTTP.TLS = cfg.Commons.HTTPServiceTLS
 	}
 
-	if cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
-		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200" {
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") && (cfg.HTTP.CORS.AllowedOrigins == nil && cfg.Commons != nil && cfg.Commons.OcisURL != "" ||
+		len(cfg.HTTP.CORS.AllowedOrigins) == 1 && cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
 		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
 	}
 }