diff --git a/lib/travis/api/app.rb b/lib/travis/api/app.rb
index ce14ac68..ff8095ab 100644
--- a/lib/travis/api/app.rb
+++ b/lib/travis/api/app.rb
@@ -1,5 +1,6 @@
 require 'sinatra'
 require 'sinatra/reloader'
+require 'travis/api/cors'
 require 'json'
 require 'travis'
 
@@ -9,8 +10,10 @@ module Travis
   module Api
     class App < Sinatra::Application
       autoload :Service, 'travis/api/app/service'
+      disable :protection
 
       use ActiveRecord::ConnectionAdapters::ConnectionManagement
+      use Travis::API::CORS
 
       error ActiveRecord::RecordNotFound do
         not_found
diff --git a/lib/travis/api/cors.rb b/lib/travis/api/cors.rb
new file mode 100644
index 00000000..f27f7e8a
--- /dev/null
+++ b/lib/travis/api/cors.rb
@@ -0,0 +1,20 @@
+require 'sinatra/base'
+
+module Travis
+  module API
+    class CORS < Sinatra::Base
+      disable :protection
+
+      before do
+        headers['Access-Control-Allow-Origin']      = "*"
+        headers['Access-Control-Allow-Credentials'] = "true"
+        headers['Access-Control-Expose-Headers']    = "Content-Type"
+      end
+
+      options // do
+        headers['Access-Control-Allow-Methods'] = "GET, POST, PATCH, PUT, DELETE"
+        headers['Access-Control-Allow-Headers'] = "Content-Type, Authorization"
+      end
+    end
+  end
+end