diff --git a/Changelog.md b/Changelog.md
index 618f5f5..530fe23 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -9,10 +9,16 @@ This is the changelog for the air quality web interface and its associated HTTP
  - `[Code]` refers to internal changes to the code that have no direct impact on the web interface or the HTTP API, but are significant enough to warrant note.
  - `[Docs]` refers to changes to the [documentation](https://aq.connectedhumber.org/__nightdocs/00-Welcome.html).
 
+
+## v0.13.6
+ - [Code] Add option to allow cross-origin-request sharing HTTP API requests
+
+
 ## v0.13.5
  - Disable the tour, as it's now causing a crash on startup :-(
  - [API] Don't return devices in the device lists that have the `visible` flag in the database set to `0`
 
+
 ## v0.13.4
  - [API] Fix crash in `list-devices-near` action
 
diff --git a/api.php b/api.php
index 7806037..c4ba6cc 100644
--- a/api.php
+++ b/api.php
@@ -78,6 +78,10 @@ if(!class_exists($handler_name)) {
 	exit("Error: No action with the name '$action' could be found.");
 }
 
+if($settings->get("http.cors") !== false) {
+	header("access-control-allow-origin: " . $settings->get("http.cors"));
+}
+
 $handler = $di_container->get($handler_name);
 
 $perfcounter->start("handle");
diff --git a/settings.default.toml b/settings.default.toml
index 44b5d73..139277d 100644
--- a/settings.default.toml
+++ b/settings.default.toml
@@ -7,6 +7,19 @@
 # The operating mode. Can be either "development", or "production" (default; activates a number of optimisations which might make development harder, such as 3rd-party library caches)
 mode = "production"
 
+[http]
+# HTTP related settings
+
+# Whether to enable cross-origin-request-sharing. This allows HTTP API queries
+# from origins other than that of the origin of the HTTP API itself.
+# For example, if the HTTP API is running on sensors.connectedhumber.org, then
+# Without CORS a client-side Javascript program running on foo.example.com would
+# not be able to request data.
+# Possible values: false (disabled), a string (an origin to allow; set via the access-control-allow-origin header), or the special string "*" (allows all origins)
+cors = false
+# cors = "subdomain.example.com"
+# cors = "*"
+
 [database]
 # Settings that control the database, or the connection to it