diff --git a/package.json b/package.json
index fa6d38b..cbbcdb9 100644
--- a/package.json
+++ b/package.json
@@ -11,6 +11,7 @@
   },
   "dependencies": {
     "express": "^4.16.3",
+    "cors": "^2.8.4",
     "express-validation": "^1.0.2",
     "joi": "^13.3.0",
     "js-yaml": "^3.12.0",
diff --git a/src/middlewares.js b/src/middlewares.js
index 77facd0..51d9695 100644
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -17,6 +17,7 @@ limitations under the License.
 **/
 
 const express = require('express');
+const cors = require('cors');
 const consoleMiddleware = require('./console-middleware.js');
 const ClientError = require('./client-error.js');
 const JoiError = require('./joi-error.js');
@@ -31,6 +32,14 @@ async function attachMiddlewares(app, opts) {
     // Add req.console for nicer formatted logs
     app.use(consoleMiddleware);
 
+    const corsOptions = {
+        origin: '*',
+        methods: ['GET', 'PUT', 'POST', 'DELETE', 'OPTIONS'],
+        allowedHeaders: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept',
+                         'Authorization']
+    }
+    app.use(cors(corsOptions));
+
     // Add express-provided JSON but give it it's own unique error handling instead
     // of falling back on the generic one - handing these back to the client is OK.
     app.use(express.json(), jsonErrorMiddleware);