diff --git a/datasette/utils/__init__.py b/datasette/utils/__init__.py
index 4d98a5c3..841d6c6c 100644
--- a/datasette/utils/__init__.py
+++ b/datasette/utils/__init__.py
@@ -1129,7 +1129,7 @@ async def derive_named_parameters(db, sql):
 
 def add_cors_headers(headers):
     headers["Access-Control-Allow-Origin"] = "*"
-    headers["Access-Control-Allow-Headers"] = "Authorization"
+    headers["Access-Control-Allow-Headers"] = "Authorization, Content-Type"
     headers["Access-Control-Expose-Headers"] = "Link"
     headers["Access-Control-Allow-Methods"] = "GET, POST, HEAD, OPTIONS"
 
diff --git a/docs/json_api.rst b/docs/json_api.rst
index 1ccf9117..c776bdb6 100644
--- a/docs/json_api.rst
+++ b/docs/json_api.rst
@@ -13,7 +13,7 @@ If you started Datasette with the ``--cors`` option, each JSON endpoint will be
 served with the following additional HTTP headers::
 
     Access-Control-Allow-Origin: *
-    Access-Control-Allow-Headers: Authorization
+    Access-Control-Allow-Headers: Authorization, Content-Type
     Access-Control-Expose-Headers: Link
     Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS
 
diff --git a/tests/test_api.py b/tests/test_api.py
index 799831d8..0207a6ea 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -912,7 +912,7 @@ def test_cors(
     response = app_client_with_cors.get(path)
     assert response.status == status_code
     assert response.headers["Access-Control-Allow-Origin"] == "*"
-    assert response.headers["Access-Control-Allow-Headers"] == "Authorization"
+    assert response.headers["Access-Control-Allow-Headers"] == "Authorization, Content-Type"
     assert response.headers["Access-Control-Expose-Headers"] == "Link"
     assert (
         response.headers["Access-Control-Allow-Methods"] == "GET, POST, HEAD, OPTIONS"