diff --git a/datasette/utils/__init__.py b/datasette/utils/__init__.py
index a2254ba6..4d98a5c3 100644
--- a/datasette/utils/__init__.py
+++ b/datasette/utils/__init__.py
@@ -1131,6 +1131,7 @@ def add_cors_headers(headers):
     headers["Access-Control-Allow-Origin"] = "*"
     headers["Access-Control-Allow-Headers"] = "Authorization"
     headers["Access-Control-Expose-Headers"] = "Link"
+    headers["Access-Control-Allow-Methods"] = "GET, POST, HEAD, OPTIONS"
 
 
 _TILDE_ENCODING_SAFE = frozenset(
diff --git a/docs/json_api.rst b/docs/json_api.rst
index 058c9f63..1ccf9117 100644
--- a/docs/json_api.rst
+++ b/docs/json_api.rst
@@ -15,6 +15,7 @@ served with the following additional HTTP headers::
     Access-Control-Allow-Origin: *
     Access-Control-Allow-Headers: Authorization
     Access-Control-Expose-Headers: Link
+    Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS
 
 This means JavaScript running on any domain will be able to make cross-origin
 requests to fetch the data.
diff --git a/tests/test_api.py b/tests/test_api.py
index 24549d42..4ead87d1 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -914,6 +914,7 @@ def test_cors(
     assert response.headers["Access-Control-Allow-Origin"] == "*"
     assert response.headers["Access-Control-Allow-Headers"] == "Authorization"
     assert response.headers["Access-Control-Expose-Headers"] == "Link"
+    assert response.headers["Access-Control-Allow-Methods"] == "GET, POST, HEAD, OPTIONS"
     # Same request to app_client_two_attached_databases_one_immutable
     # should not have those headers - I'm using that fixture because
     # regular app_client doesn't have immutable fixtures.db which means
@@ -923,6 +924,7 @@ def test_cors(
     assert "Access-Control-Allow-Origin" not in response.headers
     assert "Access-Control-Allow-Headers" not in response.headers
     assert "Access-Control-Expose-Headers" not in response.headers
+    assert "Access-Control-Allow-Methods" not in response.headers
 
 
 @pytest.mark.parametrize(