diff --git a/Gopkg.lock b/Gopkg.lock
index 1d5ce8e82d..3c3e73496f 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -210,6 +210,12 @@
   revision = "792786c7400a136282c1664665ae0a8db921c6c2"
   version = "v1.0.0"
 
+[[projects]]
+  name = "github.com/rs/cors"
+  packages = ["."]
+  revision = "7af7a1e09ba336d2ea14b1ce73bf693c6837dbf6"
+  version = "v1.2"
+
 [[projects]]
   branch = "master"
   name = "github.com/rubenv/sql-migrate"
@@ -333,6 +339,6 @@
 [solve-meta]
   analyzer-name = "dep"
   analyzer-version = 1
-  inputs-digest = "6f41dd3a8ddb3ee5e505bb50f8da534722bf6a084161f3d1b1c071784946a659"
+  inputs-digest = "c857c9359eea153d02809743535bf58228f15d216ead4ed5babd07a77ed7297d"
   solver-name = "gps-cdcl"
   solver-version = 1
diff --git a/Gopkg.toml b/Gopkg.toml
index 99a61e50d4..6134bb5136 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -104,3 +104,7 @@
 [[constraint]]
   name = "gopkg.in/go-resty/resty.v0"
   version = "0.13.0"
+
+[[constraint]]
+  name = "github.com/rs/cors"
+  version = "1.2.0"
diff --git a/cmd/proxy.go b/cmd/proxy.go
index cafc786101..3310d7477b 100644
--- a/cmd/proxy.go
+++ b/cmd/proxy.go
@@ -5,7 +5,9 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
-
+	"os"
+	"strconv"
+	"strings"
 	"time"
 
 	"github.com/meatballhat/negroni-logrus"
@@ -14,6 +16,7 @@ import (
 	"github.com/ory/oathkeeper/director"
 	"github.com/ory/oathkeeper/evaluator"
 	"github.com/ory/oathkeeper/rule"
+	"github.com/rs/cors"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"github.com/urfave/negroni"
@@ -63,10 +66,23 @@ var proxyCmd = &cobra.Command{
 		n.Use(negronilogrus.NewMiddlewareFromLogger(logger, "oahtkeeper-proxy"))
 		n.UseHandler(proxy)
 
+		allowCredentials, _ := strconv.ParseBool(os.Getenv("CORS_ALLOWED_CREDENTIALS"))
+		debug, _ := strconv.ParseBool(os.Getenv("CORS_DEBUG"))
+		maxAge, _ := strconv.Atoi(os.Getenv("CORS_MAX_AGE"))
+		ch := cors.New(cors.Options{
+			AllowedOrigins:   strings.Split(os.Getenv("CORS_ALLOWED_ORIGINS"), ","),
+			AllowedMethods:   strings.Split(os.Getenv("CORS_ALLOWED_METHODS"), ","),
+			AllowedHeaders:   strings.Split(os.Getenv("CORS_ALLOWED_HEADERS"), ","),
+			ExposedHeaders:   strings.Split(os.Getenv("CORS_EXPOSED_HEADERS"), ","),
+			AllowCredentials: allowCredentials,
+			MaxAge:           maxAge,
+			Debug:            debug,
+		}).Handler(n)
+
 		addr := fmt.Sprintf("%s:%s", viper.GetString("PROXY_HOST"), viper.GetString("PROXY_PORT"))
 		server := graceful.WithDefaults(&http.Server{
 			Addr:    addr,
-			Handler: n,
+			Handler: ch,
 		})
 
 		logger.Printf("Listening on %s.\n", addr)