diff --git a/simple_webfinger/app.py b/simple_webfinger/app.py
index 55241da..1b2314d 100644
--- a/simple_webfinger/app.py
+++ b/simple_webfinger/app.py
@@ -1,7 +1,7 @@
 from urllib.parse import urlparse
 
 import yaml
-from flask import Flask, abort, request
+from flask import Flask, abort, request, Response
 from prometheus_flask_exporter import PrometheusMetrics
 
 from simple_webfinger.models.webfinger import JSONResourceDefinition
@@ -84,6 +84,11 @@ def create_app(config={}):
             "No domain is configured for webfinger, this instance will not operate correctly."
         )
 
+    @app.after_request
+    def inject_cors(response: Response) -> Response:
+        response.headers["Access-Control-Allow-Origin"] = "*"
+        return response
+
     @app.route("/.well-known/webfinger")
     def webfinger():
         resource = request.args.get("resource")
diff --git a/tests/test_basic.py b/tests/test_basic.py
index bf97085..90e762c 100644
--- a/tests/test_basic.py
+++ b/tests/test_basic.py
@@ -56,6 +56,20 @@ def test_invalid_user_request(app, client):
     response = client.get("/.well-known/webfinger?resource=nikdoof@doofnet.uk")
     assert response.status_code == 404
 
+def test_cors_headers(client):
+    # https://datatracker.ietf.org/doc/html/rfc7033#section-5
+    # Access-Control-Allow-Origin: *
+    response = client.get("/.well-known/webfinger?resource=acct:testaccount@doofnet.uk")
+    assert response.status_code == 200
+    assert 'Access-Control-Allow-Origin' in response.headers
+    assert response.headers['Access-Control-Allow-Origin'] == '*'
+
+def test_content_type_response(client):
+    # https://datatracker.ietf.org/doc/html/rfc7033#section-10.2
+    response = client.get("/.well-known/webfinger?resource=acct:testaccount@doofnet.uk")
+    assert response.status_code == 200
+    assert response.headers['Content-Type'] == 'application/jrd+json'
+
 def test_rel_filtering(client):
     """
     Check that filtering links by rel work correctly