diff --git a/crates/cli/src/commands/cors.rs b/crates/cli/src/commands/cors.rs
index 85c2ff9..4e74bed 100644
--- a/crates/cli/src/commands/cors.rs
+++ b/crates/cli/src/commands/cors.rs
@@ -588,6 +588,40 @@ mod tests {
         assert!(error.contains("unsupported method"));
     }
 
+    #[test]
+    fn test_parse_cors_configuration_rejects_empty_allowed_origin() {
+        let error = parse_cors_configuration(
+            r#"{
+                "rules": [
+                    {
+                        "allowedOrigins": [" https://app.example.com ", "   "],
+                        "allowedMethods": ["GET"]
+                    }
+                ]
+            }"#,
+        )
+        .expect_err("empty allowed origin");
+
+        assert!(error.contains("empty allowed origin"));
+    }
+
+    #[test]
+    fn test_parse_cors_configuration_rejects_empty_allowed_method() {
+        let error = parse_cors_configuration(
+            r#"{
+                "rules": [
+                    {
+                        "allowedOrigins": ["*"],
+                        "allowedMethods": ["GET", " "]
+                    }
+                ]
+            }"#,
+        )
+        .expect_err("empty allowed method");
+
+        assert!(error.contains("empty allowed method"));
+    }
+
     #[test]
     fn test_parse_cors_configuration_accepts_xml() {
         let config = parse_cors_configuration(
@@ -620,6 +654,28 @@ mod tests {
         assert_eq!(config.rules[0].allowed_headers, Some(vec!["*".to_string()]));
     }
 
+    #[test]
+    fn test_parse_cors_configuration_drops_blank_optional_headers() {
+        let config = parse_cors_configuration(
+            r#"{
+                "rules": [
+                    {
+                        "allowedOrigins": ["https://app.example.com"],
+                        "allowedMethods": ["get"],
+                        "allowedHeaders": ["   "],
+                        "exposeHeaders": ["", "   "]
+                    }
+                ]
+            }"#,
+        )
+        .expect("parse config with blank optional headers");
+
+        assert_eq!(config.rules.len(), 1);
+        assert_eq!(config.rules[0].allowed_headers, None);
+        assert_eq!(config.rules[0].expose_headers, None);
+        assert_eq!(config.rules[0].allowed_methods, vec!["GET".to_string()]);
+    }
+
     #[test]
     fn test_cors_input_source_prefers_positional_argument() {
         let args = SetCorsArgs {
@@ -644,6 +700,18 @@ mod tests {
         assert_eq!(cors_input_source(&args).as_deref(), Ok("cors.json"));
     }
 
+    #[test]
+    fn test_cors_input_source_rejects_conflicting_inputs() {
+        let args = SetCorsArgs {
+            path: "local/my-bucket".to_string(),
+            source: Some("cors.xml".to_string()),
+            file: Some("cors.json".to_string()),
+            force: false,
+        };
+
+        assert!(cors_input_source(&args).is_err());
+    }
+
     #[test]
     fn test_cors_input_source_requires_source() {
         let args = SetCorsArgs {