diff --git a/httpbin/core.py b/httpbin/core.py
index ff22c0f..44fd322 100644
--- a/httpbin/core.py
+++ b/httpbin/core.py
@@ -57,6 +57,8 @@ def set_cors_headers(response):
         # http://www.w3.org/TR/cors/#access-control-allow-methods-response-header
         response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, PATCH, OPTIONS'
         response.headers['Access-Control-Max-Age'] = '3600'  # 1 hour cache
+        if request.headers.get('Access-Control-Request-Headers') is not None:
+            response.headers['Access-Control-Allow-Headers'] = request.headers['Access-Control-Request-Headers']
     return response
 
 
diff --git a/test_httpbin.py b/test_httpbin.py
index 9adc7dd..d63dbeb 100755
--- a/test_httpbin.py
+++ b/test_httpbin.py
@@ -113,7 +113,11 @@ class HttpbinTestCase(unittest.TestCase):
         self.assertNotIn(
             'Access-Control-Allow-Headers', response.headers
         )
-
+    def test_set_cors_allow_headers(self):
+        response = self.app.open('/get', method='OPTIONS', headers={'Access-Control-Request-Headers': 'X-Test-Header'})
+        self.assertEqual(
+            response.headers.get('Access-Control-Allow-Headers'), 'X-Test-Header'
+        )
     def test_user_agent(self):
         response = self.app.get(
             '/user-agent', headers={'User-Agent': 'test'}