diff --git a/roles/couchdb/templates/docker-compose.yml.j2 b/roles/couchdb/templates/docker-compose.yml.j2
index c70e33a..222cd4d 100644
--- a/roles/couchdb/templates/docker-compose.yml.j2
+++ b/roles/couchdb/templates/docker-compose.yml.j2
@@ -24,6 +24,12 @@ services:
     labels:
       traefik.http.routers.couchdb.entrypoints: websecure
       traefik.http.routers.couchdb.rule: "Host(`{{ couchdb_subdomain }}.{{ domain_name }}`)"
+      traefik.http.routers.couchdb.middlewares: cors@docker
       traefik.http.services.couchdb.loadbalancer.server.port: 5984
+      traefik.http.middlewares.cors.headers.accessControlAllowOriginList: https://tempo.agate.blue
+      traefik.http.middlewares.cors.headers.accessControlAllowCredentials: true
+      # Cannot use wildcards with creds, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
+      traefik.http.middlewares.cors.headers.accessControlAllowHeaders: "Content-Type"
+      traefik.http.middlewares.cors.headers.accessControlAllowMethods: GET, OPTIONS, POST, PUT, DELETE
       traefik.enable: true
     restart: unless-stopped