diff --git a/config.sample.yaml b/config.sample.yaml
index 8e5741b..a5cea00 100644
--- a/config.sample.yaml
+++ b/config.sample.yaml
@@ -1,6 +1,10 @@
 db:
   driver: pgx
   connect: 'postgres://postgres:password@localhost:5432/example'
+cors:
+  allowedOrigins:
+    - 'http://localhost:*'
+    - 'https://stillbox.server'
 auth:
   jwtsecret: 'super secret string'
   # this is the JWT cookie domain
diff --git a/go.mod b/go.mod
index b49e135..a32f27b 100644
--- a/go.mod
+++ b/go.mod
@@ -7,6 +7,7 @@ require (
 	github.com/go-audio/wav v1.1.0
 	github.com/go-chi/chi v1.5.5
 	github.com/go-chi/chi/v5 v5.1.0
+	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/httprate v0.9.0
 	github.com/go-chi/jwtauth/v5 v5.3.1
 	github.com/go-chi/render v1.0.3
diff --git a/go.sum b/go.sum
index 0fc1ea1..aa4890b 100644
--- a/go.sum
+++ b/go.sum
@@ -36,6 +36,8 @@ github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
 github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
 github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
 github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
+github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-chi/httprate v0.9.0 h1:21A+4WDMDA5FyWcg7mNrhj63aNT8CGh+Z1alOE/piU8=
 github.com/go-chi/httprate v0.9.0/go.mod h1:6GOYBSwnpra4CQfAKXu8sQZg+nZ0M1g9QnyFvxrAB8A=
 github.com/go-chi/jwtauth/v5 v5.3.1 h1:1ePWrjVctvp1tyBq5b/2ER8Th/+RbYc7x4qNsc5rh5A=
diff --git a/pkg/gordio/config/config.go b/pkg/gordio/config/config.go
index 573f230..c8f0a8b 100644
--- a/pkg/gordio/config/config.go
+++ b/pkg/gordio/config/config.go
@@ -10,6 +10,7 @@ import (
 
 type Config struct {
 	DB     DB     `yaml:"db"`
+	CORS   CORS   `yaml:"cors"`
 	Auth   Auth   `yaml:"auth"`
 	Listen string `yaml:"listen"`
 	Public bool   `yaml:"public"`
@@ -23,6 +24,10 @@ type Auth struct {
 	AllowInsecure map[string]bool `yaml:"allowInsecureFor"`
 }
 
+type CORS struct {
+	AllowedOrigins []string `yaml:"allowedOrigins"`
+}
+
 type DB struct {
 	Connect string `yaml:"connect"`
 	Driver  string `yaml:"driver"`
diff --git a/pkg/gordio/server/server.go b/pkg/gordio/server/server.go
index ca17d63..424cd1d 100644
--- a/pkg/gordio/server/server.go
+++ b/pkg/gordio/server/server.go
@@ -12,6 +12,7 @@ import (
 	"dynatron.me/x/stillbox/pkg/gordio/sources"
 	"github.com/go-chi/chi/middleware"
 	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/cors"
 )
 
 type Server struct {
@@ -48,6 +49,14 @@ func New(cfg *config.Config) (*Server, error) {
 	r.Use(middleware.RealIP)
 	r.Use(middleware.Logger)
 	r.Use(middleware.Recoverer)
+	r.Use(cors.Handler(cors.Options{
+		AllowedOrigins:   srv.conf.CORS.AllowedOrigins,
+		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token", "Upgrade"},
+		ExposedHeaders:   []string{"Link"},
+		AllowCredentials: false,
+		MaxAge:           300, // Maximum value not ignored by any of major browsers
+	}))
 	srv.setupRoutes()
 
 	return srv, nil