diff --git a/httpbin/core.py b/httpbin/core.py
index 3c51c00..1bad8b3 100644
--- a/httpbin/core.py
+++ b/httpbin/core.py
@@ -44,6 +44,11 @@ sentry = Sentry(app)
 @app.after_request
 def set_cors_headers(response):
     response.headers['Access-Control-Allow-Origin'] = '*'
+    if request.method == 'OPTIONS':
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.headers['Access-Control-Allow-Credentials'] = 'true'
+        response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, PATCH, OPTIONS'
+        response.headers['Access-Control-Max-Age'] = str(60 * 60) # 1 hour cache
     return response
 
 
diff --git a/test_httpbin.py b/test_httpbin.py
index 7504b8d..0284c85 100755
--- a/test_httpbin.py
+++ b/test_httpbin.py
@@ -45,6 +45,16 @@ class HttpbinTestCase(unittest.TestCase):
         response = self.app.get('/get')
         self.assertEquals(response.headers.get('Access-Control-Allow-Origin'), '*')
 
+    def test_set_cors_headers_with_options_verb(self):
+        response = self.app.open('/get', method='OPTIONS')
+        self.assertEquals(response.headers.get('Access-Control-Allow-Origin'), '*')
+        self.assertEquals(response.headers.get('Access-Control-Allow-Credentials'), 'true')
+        self.assertEquals(response.headers.get('Access-Control-Allow-Methods'), 'GET, POST, PUT, DELETE, PATCH, OPTIONS')
+        self.assertEquals(response.headers.get('Access-Control-Max-Age'), '3600')
+        self.assertNotIn('Access-Control-Allow-Headers', response.headers)  # FIXME should we add any extra headers?
+
+
+
 
 if __name__ == '__main__':
     unittest.main()