diff --git a/src/http/index.js b/src/http/index.js
index 205c9edc16..63ed93bd2e 100644
--- a/src/http/index.js
+++ b/src/http/index.js
@@ -125,7 +125,13 @@ class HttpApi {
   }
 
   async _createGatewayServer (host, port, ipfs) {
-    const server = Hapi.server({ host, port })
+    const server = Hapi.server({
+      host,
+      port,
+      routes: {
+        cors: true
+      }
+    })
     server.app.ipfs = ipfs
 
     await server.register({
diff --git a/test/gateway/index.js b/test/gateway/index.js
index 651cee1578..76a0e68bac 100644
--- a/test/gateway/index.js
+++ b/test/gateway/index.js
@@ -137,6 +137,22 @@ describe('HTTP Gateway', function () {
     expect(res.headers.suborigin).to.equal('ipfs000bafybeicg2rebjoofv4kbyovkw7af3rpiitvnl6i7ckcywaq6xjcxnc2mby')
   })
 
+  it('returns CORS headers', async () => {
+    const res = await gateway.inject({
+      method: 'OPTIONS',
+      url: '/ipfs/QmT78zSuBmuS4z925WZfrqQ1qHaJ56DQaTfyMUF7F8ff5o',
+      headers: {
+        origin: 'http://example.com',
+        'access-control-request-method': 'GET',
+        'access-control-request-headers': ''
+      }
+    })
+
+    expect(res.statusCode).to.equal(200)
+    expect(res.headers['access-control-allow-origin']).to.equal('http://example.com')
+    expect(res.headers['access-control-allow-methods']).to.equal('GET')
+  })
+
   /* TODO when support for CIDv1 lands
   it('valid CIDv1', (done) => {
     gateway.inject({