diff --git a/package-lock.json b/package-lock.json
index c820be1359b7241f59f8916d5fec0ecf7c55c2f8..3bb72be059e345cc3decfd98f9f1b1333c13e4b9 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3206,6 +3206,16 @@
       "resolved": "https://registry.yarnpkg.com/core-util-is/-/core-util-is-1.0.2.tgz",
       "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac="
     },
+    "cors": {
+      "version": "2.8.4",
+      "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.4.tgz",
+      "integrity": "sha1-K9OB8usgECAQXNUOpZ2mMJBpRoY=",
+      "dev": true,
+      "requires": {
+        "object-assign": "^4",
+        "vary": "^1"
+      }
+    },
     "cosmiconfig": {
       "version": "5.0.5",
       "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-5.0.5.tgz",
diff --git a/package.json b/package.json
index 2846d03be17bbb42fcac29aab9d92f4490a65fe7..20ced69ea1141295987db878e8debd0299cf53d2 100644
--- a/package.json
+++ b/package.json
@@ -69,6 +69,7 @@
     "babel-preset-env": "^1.6.1",
     "babel-preset-react": "^6.24.1",
     "copy-webpack-plugin": "^4.5.1",
+    "cors": "^2.8.4",
     "css-loader": "^1.0.0",
     "dotenv": "^5.0.1",
     "eslint": "^5.2.0",
diff --git a/webpack.config.js b/webpack.config.js
index b8f961ac443a3ca8ffaade25464829751ab857ce..4ca201bb996a3e6120c3c35d23b5fe51f4a13048 100644
--- a/webpack.config.js
+++ b/webpack.config.js
@@ -7,6 +7,7 @@ const fs = require("fs");
 const path = require("path");
 const selfsigned = require("selfsigned");
 const webpack = require("webpack");
+const cors = require("cors");
 const HTMLWebpackPlugin = require("html-webpack-plugin");
 const ExtractTextPlugin = require("extract-text-webpack-plugin");
 const CopyWebpackPlugin = require("copy-webpack-plugin");
@@ -76,8 +77,9 @@ module.exports = (env, argv) => ({
     host: "0.0.0.0",
     useLocalIp: true,
     allowedHosts: ["hubs.local"],
-    headers: { "Access-Control-Allow-Origin": "hubs.local" },
     before: function(app) {
+      // be flexible with people accessing via a local reticulum on another port
+      app.use(cors({ origin: /hubs\.local(:\d*)?$/ }));
       // networked-aframe makes HEAD requests to the server for time syncing. Respond with an empty body.
       app.head("*", function(req, res, next) {
         if (req.method === "HEAD") {