diff --git a/main_test.go b/main_test.go
index 7e721a29..a8c4ed05 100644
--- a/main_test.go
+++ b/main_test.go
@@ -896,6 +896,59 @@ func TestServe(t *testing.T) {
 			},
 			startHTTP,
 		},
+		{
+			"http allow CORS false",
+			"testdata/http.yml",
+			func(t *testing.T) {
+				req, err := http.NewRequest(http.MethodOptions, "http://127.0.0.1:9090?query=asd", nil)
+				checkErr(t, err)
+				resp, err := http.DefaultClient.Do(req)
+				checkErr(t, err)
+				if resp.StatusCode != http.StatusOK {
+					t.Fatalf("unexpected status code: %d; expected: %d", resp.StatusCode, http.StatusOK)
+				}
+
+				resp.Body.Close()
+				checkHeader(t, resp, "Access-Control-Allow-Origin", "")
+			},
+			startHTTP,
+		},
+		{
+			"http allow CORS true without request Origin header",
+			"testdata/http.allow.cors.yml",
+			func(t *testing.T) {
+				q := "SELECT 123"
+				req, err := http.NewRequest("GET", "http://127.0.0.1:9090?query="+url.QueryEscape(q), nil)
+				checkErr(t, err)
+				resp, err := http.DefaultClient.Do(req)
+				checkErr(t, err)
+				if resp.StatusCode != http.StatusOK {
+					t.Fatalf("unexpected status code: %d; expected: %d", resp.StatusCode, http.StatusOK)
+				}
+				resp.Body.Close()
+				checkHeader(t, resp, "Access-Control-Allow-Origin", "*")
+			},
+			startHTTP,
+		},
+		{
+			"http allow CORS true with request Origin header",
+			"testdata/http.allow.cors.yml",
+			func(t *testing.T) {
+				q := "SELECT 123"
+				req, err := http.NewRequest("GET", "http://127.0.0.1:9090?query="+url.QueryEscape(q), nil)
+				checkErr(t, err)
+				req.Header.Set("Origin", "http://example.com")
+				resp, err := http.DefaultClient.Do(req)
+				checkErr(t, err)
+				if resp.StatusCode != http.StatusOK {
+					t.Fatalf("unexpected status code: %d; expected: %d", resp.StatusCode, http.StatusOK)
+				}
+
+				resp.Body.Close()
+				checkHeader(t, resp, "Access-Control-Allow-Origin", "http://example.com")
+			},
+			startHTTP,
+		},
 	}
 
 	// Wait until CHServer starts.
diff --git a/testdata/http.allow.cors.yml b/testdata/http.allow.cors.yml
new file mode 100644
index 00000000..db445b56
--- /dev/null
+++ b/testdata/http.allow.cors.yml
@@ -0,0 +1,15 @@
+log_debug: true
+server:
+  http:
+      listen_addr: ":9090"
+      allowed_networks: ["127.0.0.1/24"]
+
+users:
+  - name: "default"
+    to_cluster: "default"
+    to_user: "default"
+    allow_cors: true
+
+clusters:
+  - name: "default"
+    nodes: ["127.0.0.1:18124"]
\ No newline at end of file