diff --git a/server/main.go b/server/main.go
index e1b38d6..6f88584 100644
--- a/server/main.go
+++ b/server/main.go
@@ -24,12 +24,20 @@ func main() {
 
 	router := gin.Default()
 
+	// Front-end resources
 	router.StaticFile("/", "client/index.html")
 	router.Static("/js", "client/js")
 	router.Static("/css", "client/css")
 
+	// Only allow CORS in development mode
+	if server.Config.Mode == "development" {
+		router.Use(middleware.CorsMiddleware())
+	}
+
+	// User login route
 	router.POST("/api/login", routes.Login(server))
 
+	// Routes that are only accessible after logging in
 	loginProtected := router.Group("/", middleware.LoginAuthMiddleware(server))
 	loginProtected.GET("/api/sensors", routes.GetSensors(server))
 	loginProtected.GET("/api/sensors/:sensor/values", routes.HandleGetSensorValues(server))
@@ -37,6 +45,7 @@ func main() {
 	loginProtected.PUT("/api/sensors/:sensor/config/:key", routes.HandlePutSensorConfig(server))
 	loginProtected.POST("/api/logout", routes.Logout(server))
 
+	// Routes accessible using auth key
 	keyProtected := router.Group("/", middleware.KeyAuthMiddleware(server))
 	keyProtected.POST("/api/sensors/:sensor/values", routes.HandlePostSensorValues(server))
 
diff --git a/server/middleware/cors.go b/server/middleware/cors.go
new file mode 100644
index 0000000..1e28715
--- /dev/null
+++ b/server/middleware/cors.go
@@ -0,0 +1,12 @@
+package middleware
+
+import "github.com/gin-gonic/gin"
+
+func CorsMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("Access-Control-Allow-Origin", "*")
+		c.Header("Access-Control-Allow-Credentials", "true")
+		// 2 hours
+		c.Header("Access-Control-Max-Age", "7200")
+	}
+}