diff --git a/datasette/utils/__init__.py b/datasette/utils/__init__.py
index 925c6560..c388673d 100644
--- a/datasette/utils/__init__.py
+++ b/datasette/utils/__init__.py
@@ -1141,6 +1141,7 @@ def add_cors_headers(headers):
     headers["Access-Control-Allow-Headers"] = "Authorization, Content-Type"
     headers["Access-Control-Expose-Headers"] = "Link"
     headers["Access-Control-Allow-Methods"] = "GET, POST, HEAD, OPTIONS"
+    headers["Access-Control-Max-Age"] = "3600"
 
 
 _TILDE_ENCODING_SAFE = frozenset(
diff --git a/docs/json_api.rst b/docs/json_api.rst
index 7b130c58..c273c2a8 100644
--- a/docs/json_api.rst
+++ b/docs/json_api.rst
@@ -454,12 +454,28 @@ Enabling CORS
 -------------
 
 If you start Datasette with the ``--cors`` option, each JSON endpoint will be
-served with the following additional HTTP headers::
+served with the following additional HTTP headers:
+
+.. [[[cog
+    from datasette.utils import add_cors_headers
+    import textwrap
+    headers = {}
+    add_cors_headers(headers)
+    output = "\n".join("{}: {}".format(k, v) for k, v in headers.items())
+    cog.out("\n::\n\n")
+    cog.out(textwrap.indent(output, '    '))
+    cog.out("\n\n")
+.. ]]]
+
+::
 
     Access-Control-Allow-Origin: *
     Access-Control-Allow-Headers: Authorization, Content-Type
     Access-Control-Expose-Headers: Link
     Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS
+    Access-Control-Max-Age: 3600
+
+.. [[[end]]]
 
 This allows JavaScript running on any domain to make cross-origin
 requests to interact with the Datasette API.
diff --git a/tests/test_api.py b/tests/test_api.py
index 780e9fa5..247fdd5c 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -941,6 +941,7 @@ def test_cors(
     assert (
         response.headers["Access-Control-Allow-Methods"] == "GET, POST, HEAD, OPTIONS"
     )
+    assert response.headers["Access-Control-Max-Age"] == "3600"
     # Same request to app_client_two_attached_databases_one_immutable
     # should not have those headers - I'm using that fixture because
     # regular app_client doesn't have immutable fixtures.db which means
@@ -951,6 +952,7 @@ def test_cors(
     assert "Access-Control-Allow-Headers" not in response.headers
     assert "Access-Control-Expose-Headers" not in response.headers
     assert "Access-Control-Allow-Methods" not in response.headers
+    assert "Access-Control-Max-Age" not in response.headers
 
 
 @pytest.mark.parametrize(