diff --git a/package-lock.json b/package-lock.json
index 5ee2a38..f955a69 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2260,6 +2260,15 @@
       "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz",
       "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac="
     },
+    "cors": {
+      "version": "2.8.4",
+      "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.4.tgz",
+      "integrity": "sha1-K9OB8usgECAQXNUOpZ2mMJBpRoY=",
+      "requires": {
+        "object-assign": "4.1.1",
+        "vary": "1.1.2"
+      }
+    },
     "create-ecdh": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/create-ecdh/-/create-ecdh-4.0.0.tgz",
diff --git a/package.json b/package.json
index 9534b07..b1c4853 100644
--- a/package.json
+++ b/package.json
@@ -13,6 +13,7 @@
     "babelify": "^8.0.0",
     "backbone": "^1.3.3",
     "browserify": "^14.5.0",
+    "cors": "^2.8.4",
     "es6-promise": "^4.1.1",
     "express": "^4.16.2",
     "jquery": "^3.2.1",
diff --git a/server.js b/server.js
index 6fc309e..9a96e9d 100644
--- a/server.js
+++ b/server.js
@@ -1,4 +1,6 @@
 const express = require('express');
+const cors = require('cors')
+
 const path = require('path');
 const apicache = require('apicache');
 const logger = require('log4js').getLogger('Server');
@@ -16,12 +18,7 @@ const cache = apicache.middleware;
 
 app.use(express.static(path.join(__dirname, sitePath)));
 
-app.all('/*', function(req, res, next) {
-  res.header('Access-Control-Allow-Origin', '*');
-  res.header('Access-Control-Allow-Methods', 'GET,HEAD,OPTIONS,POST,PUT');
-  res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');
-  next();
-});
+app.options('*', cors()); // include before other routes
 
 app.use('/gettrains', cache('60 seconds'), train.getTrainTimes);
 app.use('/getnexttraintimes', cache('60 seconds'), train.getNextTrainTimes);