diff --git a/NEWS b/NEWS
index bc660714b1d71a6bb36118a6d234f90114c1665a..3cfd78dba21c45d9e73980e4a8f01db7d083d089 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
 Knot Resolver 4.x.y (2019-0m-dd)
 ================================
 
+Improvements
+------------
+- DNS-over-HTTPS: answers include `access-control-allow-origin: *` (!823)
+
 Bugfixes
 --------
 - TCP to upstream: don't send wrong message length (unlikely, !816)
diff --git a/modules/http/http.lua.in b/modules/http/http.lua.in
index e858e89d2232eb726429d796e8c6dc1cc1fdf570..6815d74b7b493bac7516761f851e9821dc2db9cb 100644
--- a/modules/http/http.lua.in
+++ b/modules/http/http.lua.in
@@ -165,11 +165,12 @@ local function serve(endpoints, h, stream)
 		entry = endpoints[path:match '^/[^/?]*']
 	end
 	-- Unpack MIME and data
-	local data, mime, ttl, err
+	local data, mime, ttl, any_origin, err
 	if entry then
 		mime = entry[1]
 		data = entry[2]
 		ttl = entry[4]
+		any_origin = entry[5]
 	end
 	-- Get string data out of service endpoint
 	if type(data) == 'function' then
@@ -196,6 +197,9 @@ local function serve(endpoints, h, stream)
 		if ttl then
 			hsend:append('cache-control', string.format('max-age=%d', ttl))
 		end
+		if any_origin then
+			hsend:append('access-control-allow-origin', '*')
+		end
 		assert(stream:write_headers(hsend, false))
 		assert(stream:write_chunk(data, true))
 	end
diff --git a/modules/http/http_doh.lua b/modules/http/http_doh.lua
index 71d1836768bf5e68000cc8b64b399aaafc8ea40f..fb3f6bf67f944592adb692bde624080ff557cf4a 100644
--- a/modules/http/http_doh.lua
+++ b/modules/http/http_doh.lua
@@ -112,6 +112,6 @@ end
 -- Export endpoints
 return {
 	endpoints = {
-		['/doh']   = {'text/plain', serve_doh},
+		['/doh']   = {'text/plain', serve_doh, nil, nil, true},
 	}
 }