diff --git a/etc/nginx/includes/cors.conf b/etc/nginx/includes/cors.conf
new file mode 100644
index 0000000..9947c07
--- /dev/null
+++ b/etc/nginx/includes/cors.conf
@@ -0,0 +1,38 @@
+# Enable CORS
+
+# Allow cross-origin requests.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+# https://enable-cors.org/
+# https://www.w3.org/TR/cors/
+
+# (!) Do not use this without understanding the consequences.
+#     This will permit access from any other website.
+#     Instead of using this file, consider using a specific rule such as
+#     allowing access based on (sub)domain:
+#
+#         add_header Access-Control-Allow-Origin "subdomain.example.com";
+
+# Simple requests
+if ($request_method ~* "(GET|POST)") {
+    # Wildcard allow all origin
+    #add_header Access-Control-Allow-Origin "*";
+    add_header Access-Control-Allow-Origin $cors;
+    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD";
+    add_header Access-Control-Expose-Headers "Content-Length, Content-Range";
+    add_header Access-Control-Allow-Headers "Authorization, Origin, DNT, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Accept, Range";
+}
+
+# Pre-flighted requests
+if ($request_method = OPTIONS) {
+    # Wildcard allow all origin
+    #add_header Access-Control-Allow-Origin "*";
+    add_header Access-Control-Allow-Origin $cors;
+    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD";
+    add_header Access-Control-Allow-Headers "Authorization, Origin, DNT, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Accept, Range";
+    add_header Access-Control-Max-Age 1728000;
+    add_header Content-Type "text/plain; charset=utf-8";
+    add_header Content-Length 0;
+    
+    return 200;
+}