diff --git a/Cargo.toml b/Cargo.toml
index 31ac0ad..8dbdfd9 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -25,7 +25,7 @@ serde = "1.0.195"
 serde_derive = "1.0.195"
 thiserror = "1.0.56"
 tokio = { version = "1.35.1", features = ["full"] }
-tower-http = { version = "0.5.1", features = ["trace", "limit"] }
+tower-http = { version = "0.5.1", features = ["trace", "limit", "cors"] }
 tracing = "0.1.40"
 tracing-subscriber = { version = "0.3.18", features = ["env-filter"] }
 serde_json = "1.0.111"
diff --git a/src/api/mod.rs b/src/api/mod.rs
index 2720b6f..4ea6362 100644
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -1,13 +1,23 @@
-use axum::{extract::DefaultBodyLimit, routing::get, routing::post, Router};
-use tower_http::{limit::RequestBodyLimitLayer, trace::TraceLayer};
+use axum::{
+    extract::DefaultBodyLimit,
+    routing::{get, post},
+    Router,
+};
+use tower_http::{cors::CorsLayer, limit::RequestBodyLimitLayer, trace::TraceLayer};
 
 pub mod invoices;
 
 pub fn app() -> Router<crate::state::State> {
+    let cors_layer = CorsLayer::new().allow_origin([
+        "https://tietokilta.fi".parse().unwrap(),
+        "http://localhost:3000".parse().unwrap(),
+    ]);
+
     Router::new()
         .route("/health", get(health))
         .route("/invoices", post(invoices::create))
         .layer(TraceLayer::new_for_http())
+        .layer(cors_layer)
         .layer(DefaultBodyLimit::disable())
         // Limit the body to 24 MiB since the email is limited to 25 MiB
         .layer(RequestBodyLimitLayer::new(24 * 1024 * 1024))