diff --git a/ietf/settings.py b/ietf/settings.py
index a0a42fa14..e6c6cee23 100644
--- a/ietf/settings.py
+++ b/ietf/settings.py
@@ -343,6 +343,7 @@ if DEBUG:
 
 MIDDLEWARE = (
     'django.middleware.csrf.CsrfViewMiddleware',
+    'corsheaders.middleware.CorsMiddleware', # see docs on CORS_REPLACE_HTTPS_REFERER before using it
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
@@ -382,6 +383,7 @@ INSTALLED_APPS = (
     # External apps 
     'anora',
     'bootstrap3',
+    'corsheaders',
     'django_markup',
     'django_password_strength',
     'djangobwr',
@@ -455,6 +457,12 @@ BOOTSTRAP3 = {
     
 }
 
+# CORS settings
+# See https://github.com/ottoyiu/django-cors-headers/
+CORS_ORIGIN_ALLOW_ALL = True
+CORS_ALLOW_METHODS = ( 'GET', 'OPTIONS', )
+CORS_URLS_REGEX = r'(^/api/.*|^.*json)$'
+
 # Override this in your settings_local with the IP addresses relevant for you:
 INTERNAL_IPS = (
 # local
diff --git a/requirements.txt b/requirements.txt
index bfe751956..47a1e9d24 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -13,6 +13,7 @@ defusedxml>=0.4.1		# for TastyPie when ussing xml; not a declared dependency
 Django>=1.11,<1.12
 django-bcrypt>=0.9.2		# for the BCrypt password hasher option.  Remove when all bcrypt upgraded to argon2
 django-bootstrap3>=8.2.1,<9.0.0
+django-cors-headers>=2.4.0
 django-formtools>=1.0		# instead of django.contrib.formtools in 1.8
 django-markup>=1.1
 django-password-strength>=1.2.1