diff --git a/packages/node_modules/node-red/package.json b/packages/node_modules/node-red/package.json
index 4d0f8e519..0b7fbb1a9 100644
--- a/packages/node_modules/node-red/package.json
+++ b/packages/node_modules/node-red/package.json
@@ -37,6 +37,7 @@
         "@node-red/nodes": "4.0.0-beta.4",
         "basic-auth": "2.0.1",
         "bcryptjs": "2.4.3",
+        "cors": "2.8.5",
         "express": "4.19.2",
         "fs-extra": "11.2.0",
         "node-red-admin": "^3.1.3",
diff --git a/packages/node_modules/node-red/red.js b/packages/node_modules/node-red/red.js
index b97806ca8..5f3c9da25 100755
--- a/packages/node_modules/node-red/red.js
+++ b/packages/node_modules/node-red/red.js
@@ -44,6 +44,8 @@ var nopt = require("nopt");
 var path = require("path");
 const os = require("os")
 var fs = require("fs-extra");
+const cors = require('cors');
+
 var RED = require("./lib/red.js");
 
 var server;
@@ -441,10 +443,16 @@ httpsPromise.then(function(startupHttps) {
             const thisRoot = sp.root || "/";
             const options = sp.options;
             const middleware = sp.middleware;
+            const corsOptions = sp.cors || settings.httpStaticCors;
             if(appUseMem[filePath + "::" + thisRoot]) {
                 continue;// this path and root already registered!
             }
             appUseMem[filePath + "::" + thisRoot] = true;
+            if (corsOptions) {
+                const corsHandler = cors(corsOptions);
+                app.options(thisRoot, corsHandler)
+                app.use(thisRoot, corsHandler)
+            }
             if (settings.httpStaticAuth) {
                 app.use(thisRoot, basicAuthMiddleware(settings.httpStaticAuth.user, settings.httpStaticAuth.pass));
             }