diff --git a/app/Config/Routes.php b/app/Config/Routes.php
index cb5dcf7a9e55dc55fea9bd03b2062855c354a485..c4423b483355bac9cdb413b06582f2a56e206270 100644
--- a/app/Config/Routes.php
+++ b/app/Config/Routes.php
@@ -736,6 +736,7 @@ $routes->group('@(:podcastName)', function ($routes): void {
                 ],
             ],
         ]);
+        $routes->options('comments', 'EpisodeController::commentsPreflight/$1/$2');
         $routes->get('comments', 'EpisodeController::comments/$1/$2', [
             'as' => 'episode-comments',
             'application/activity+json' => [
diff --git a/app/Controllers/EpisodeController.php b/app/Controllers/EpisodeController.php
index 34922690e51de5fcaf141ce3358ee1d67c15ad47..6d897b2610caf8bccc51c656df6871bde33292cc 100644
--- a/app/Controllers/EpisodeController.php
+++ b/app/Controllers/EpisodeController.php
@@ -210,6 +210,19 @@ class EpisodeController extends BaseController
             ->setBody($podcastObject->toJSON());
     }
 
+    /**
+     * @noRector ReturnTypeDeclarationRector
+     */
+    public function commentsPreflight(): Response
+    {
+        return $this->response->setHeader('Access-Control-Allow-Origin', '*') // for allowing any domain, insecure
+            ->setHeader('Access-Control-Allow-Headers', '*') // for allowing any headers, insecure
+            ->setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS') // allows GET and OPTIONS methods only
+            ->setHeader('Access-Control-Max-Age', '86400')
+            ->setHeader('Cache-Control', 'public, max-age=86400')
+            ->setStatusCode(200);
+    }
+
     /**
      * @noRector ReturnTypeDeclarationRector
      */
@@ -250,6 +263,7 @@ class EpisodeController extends BaseController
 
         return $this->response
             ->setContentType('application/activity+json')
+            ->setHeader('Access-Control-Allow-Origin', '*')
             ->setBody($collection->toJSON());
     }
 }