diff --git a/config.dist.php b/config.dist.php
index 4078b54..83404a5 100644
--- a/config.dist.php
+++ b/config.dist.php
@@ -41,6 +41,12 @@ define('KaraDAV\WWW_URL', sprintf('http%s://%s%s%s', $https, $name, $port, $root
  */
 const WOPI_DISCOVERY_URL = null;
 
+/**
+ * Set this to TRUE if you want 'Access-Control-Allow-Origin' header to be set to '*'
+ * and allow remote JS clients to make WebDAV requests.
+ */
+const ACCESS_CONTROL_ALL = false;
+
 /**
  * Path to a log file (eg. __DIR__ . '/debug.log')
  * This will log all HTTP requests and responses received by the server
diff --git a/lib/KaraDAV/Server.php b/lib/KaraDAV/Server.php
index 30efa49..095e505 100644
--- a/lib/KaraDAV/Server.php
+++ b/lib/KaraDAV/Server.php
@@ -19,7 +19,6 @@ class Server
 
 	public function route(?string $uri = null): bool
 	{
-		header('Access-Control-Allow-Origin: *', true);
 		$method = $_SERVER['REQUEST_METHOD'] ?? null;
 
 		// Always say YES to OPTIONS
diff --git a/lib/KaraDAV/WebDAV.php b/lib/KaraDAV/WebDAV.php
index 1cba41b..b6b5413 100644
--- a/lib/KaraDAV/WebDAV.php
+++ b/lib/KaraDAV/WebDAV.php
@@ -25,10 +25,12 @@ class WebDAV extends WebDAV_Server
 	{
 		parent::http_options();
 
-		header('Access-Control-Allow-Origin: *');
-		header('Access-Control-Allow-Credentials: true');
-		header('Access-Control-Allow-Headers: Authorization, *');
-		header('Access-Control-Allow-Methods: GET,HEAD,PUT,DELETE,COPY,MOVE,PROPFIND,MKCOL,LOCK,UNLOCK');
+		if (ACCESS_CONTROL_ALL) {
+			header('Access-Control-Allow-Origin: *');
+			header('Access-Control-Allow-Credentials: true');
+			header('Access-Control-Allow-Headers: Authorization, *');
+			header('Access-Control-Allow-Methods: GET,HEAD,PUT,DELETE,COPY,MOVE,PROPFIND,MKCOL,LOCK,UNLOCK');
+		}
 	}
 
 	public function log(string $message, ...$params)