diff --git a/swh/web/settings/common.py b/swh/web/settings/common.py
--- a/swh/web/settings/common.py
+++ b/swh/web/settings/common.py
@@ -274,7 +274,7 @@
 JS_REVERSE_JS_MINIFY = False
 
 CORS_ORIGIN_ALLOW_ALL = True
-CORS_URLS_REGEX = r"^/badge/.*$"
+CORS_URLS_REGEX = r"^/(badge|api)/.*$"
 
 AUTHENTICATION_BACKENDS = [
     "django.contrib.auth.backends.ModelBackend",
diff --git a/swh/web/tests/api/test_apiresponse.py b/swh/web/tests/api/test_apiresponse.py
--- a/swh/web/tests/api/test_apiresponse.py
+++ b/swh/web/tests/api/test_apiresponse.py
@@ -5,14 +5,21 @@
 
 import json
 
+from corsheaders.middleware import ACCESS_CONTROL_ALLOW_ORIGIN
+from hypothesis import given
+
+from swh.model.identifiers import CONTENT, DIRECTORY, REVISION
 from swh.web.api.apiresponse import (
     compute_link_header,
     filter_by_fields,
     make_api_response,
     transform,
 )
+from swh.web.common.identifiers import gen_swhid
 from swh.web.common.utils import reverse
 from swh.web.tests.django_asserts import assert_contains
+from swh.web.tests.strategies import content, directory, revision
+from swh.web.tests.utils import check_http_get_response, check_http_post_response
 
 
 def test_compute_link_header():
@@ -140,3 +147,28 @@
     assert resp.status_code == 500
     assert "traceback" in resp.data
     assert "Traceback" in resp.data["traceback"]
+
+
+@given(content(), directory(), revision())
+def test_api_endpoints_have_cors_headers(client, content, directory, revision):
+    url = reverse("api-1-stat-counters")
+
+    resp = check_http_get_response(
+        client, url, status_code=200, http_origin="https://example.org"
+    )
+    assert ACCESS_CONTROL_ALLOW_ORIGIN in resp
+
+    swhids = [
+        gen_swhid(CONTENT, content["sha1_git"]),
+        gen_swhid(DIRECTORY, directory),
+        gen_swhid(REVISION, revision),
+    ]
+    url = reverse("api-1-known")
+    resp = client.options(url, HTTP_ORIGIN="https://example.org")
+    assert resp.status_code == 200
+    assert ACCESS_CONTROL_ALLOW_ORIGIN in resp
+
+    resp = resp = check_http_post_response(
+        client, url, data=swhids, status_code=200, http_origin="https://example.org"
+    )
+    assert ACCESS_CONTROL_ALLOW_ORIGIN in resp
diff --git a/swh/web/tests/utils.py b/swh/web/tests/utils.py
--- a/swh/web/tests/utils.py
+++ b/swh/web/tests/utils.py
@@ -71,6 +71,7 @@
     status_code: int,
     content_type: str = "*/*",
     data: Optional[Dict[str, Any]] = None,
+    http_origin: Optional[str] = None,
 ) -> HttpResponse:
     """Helper function to check HTTP response for a POST request.
 
@@ -86,7 +87,11 @@
     """
     return _assert_http_response(
         response=client.post(
-            url, data=data, content_type="application/json", HTTP_ACCEPT=content_type,
+            url,
+            data=data,
+            content_type="application/json",
+            HTTP_ACCEPT=content_type,
+            HTTP_ORIGIN=http_origin,
         ),
         status_code=status_code,
         content_type=content_type,