diff --git a/data-template/nginx/conf.d/app.conf b/data-template/nginx/conf.d/app.conf
index 6f8b361..af35fbf 100644
--- a/data-template/nginx/conf.d/app.conf
+++ b/data-template/nginx/conf.d/app.conf
@@ -16,10 +16,12 @@ server {
 
     # location /.well-known/acme-challenge/ {
     #    root /var/www/certbot;
+    #    add_header Access-Control-Allow-Origin *;
     # }
 
     location /.well-known/matrix/ {
         root /var/www;
+        add_header Access-Control-Allow-Origin *;
     }
 
     # XXX: is this right? or should auth.$DOMAIN be the issuer?
@@ -27,6 +29,7 @@ server {
         proxy_pass http://mas:8080;
         proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
+        add_header Access-Control-Allow-Origin *;
     }
 
     location / {
@@ -42,6 +45,7 @@ server {
 
     location /.well-known/matrix/ {
         root /var/www;
+        add_header Access-Control-Allow-Origin *;
     }
 
     # XXX: is this right? or should auth.$DOMAIN be the issuer?
@@ -49,6 +53,7 @@ server {
         proxy_pass http://mas:8080;
         proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
+        add_header Access-Control-Allow-Origin *;
     }
 }
 
@@ -171,8 +176,6 @@ server {
         client_max_body_size 50M;
     }
 
-    location /.well-known {}
-
     # Synapse responses may be chunked, which is an HTTP/1.1 feature.
     proxy_http_version 1.1;
 }