diff --git a/README.md b/README.md
index 19620f4..410512d 100644
--- a/README.md
+++ b/README.md
@@ -74,6 +74,38 @@ services:
 
 You can use `ddev logs -s elasticsearch` to investigate the Elasticsearch daemon's activity or to troubleshoot RAM-related crashes.
 
+### CORS settings
+
+To better support decoupled architecture testing, HTTP.CORS configuration to expose the server to any origin is in place.
+
+```yaml
+- "http.cors.allow-origin=*"
+- "http.cors.enabled=true"
+- "http.cors.allow-headers=X-Requested-With,X-Auth-Token,Content-Type,Content-Length,Authorization,Access-Control-Allow-Origin,Access-Control-Request-Headers"
+- "http.cors.allow-credentials=true"
+- "http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE"
+```
+
+When paired with a frontend request with the proper headers, this should allow for cross-origin requests.
+
+```script
+// Example JS fetch() with headers
+fetch('http://vca.ddev.site:9200/elasticsearch_index_db/_search', {
+      method: 'post',
+      body: querystring,
+      //headers: { 'Content-Type': 'application/json' },
+      headers: {
+              'Origin': 'http://localhost:8000',
+              'Content-Type': 'application/json',
+              'Access-Control-Allow-Origin': '*',
+              'Access-Control-Request-Headers': 'access-control-allow-origin,content-type',
+            },
+    })
+```
+
+
+If you change this variable, make sure to remove the `#ddev-generated` line at the top of the file. 
+
 ## Additional Resources
 
 * There are two related answers to the [Stack Overflow question](https://stackoverflow.com/questions/54575785/how-can-i-use-an-elasticsearch-add-on-container-service-with-ddev) on ddev and Elasticsearch.
diff --git a/docker-compose.elasticsearch.yaml b/docker-compose.elasticsearch.yaml
index 3625600..305e915 100644
--- a/docker-compose.elasticsearch.yaml
+++ b/docker-compose.elasticsearch.yaml
@@ -15,6 +15,11 @@ services:
       - VIRTUAL_HOST=${DDEV_HOSTNAME}
       - HTTP_EXPOSE=9200:9200
       - HTTPS_EXPOSE=9201:9200
+      - "http.cors.allow-origin=*"
+      - "http.cors.enabled=true"
+      - "http.cors.allow-headers=X-Requested-With,X-Auth-Token,Content-Type,Content-Length,Authorization,Access-Control-Allow-Origin,Access-Control-Request-Headers"
+      - "http.cors.allow-credentials=true"
+      - "http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE"
     labels:
       com.ddev.site-name: ${DDEV_SITENAME}
       com.ddev.approot: ${DDEV_APPROOT}