diff --git a/CHANGELOG.md b/CHANGELOG.md
index fbaf1d0b..9bd19ff7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,8 @@
 
 FEATURE: Support `html_path` directive in `interstitial` stanza of public frontend configuration to support using an external HTML file for the interstitial page (https://github.com/openziti/zrok/issues/716)
 
+FEATURE: `zrok access private` now includes a `--response-header` flag to add headers to the response for HTTP-based backends. Add flag multiple times to add multiple headers to the response. Expects `key:value` header definitions in this format: `--response-header "Access-Control-Allow-Origin: *"` (https://github.com/openziti/zrok/issues/522)
+
 CHANGE: Update `github.com/openziti/sdk-golang` (and related dependencies) to version `v0.23.40`.
 
 CHANGE: upgrade to ziti v1.1.7 CLI in zrok container image
diff --git a/cmd/zrok/accessPrivate.go b/cmd/zrok/accessPrivate.go
index 3d1d5c39..1bb41be1 100644
--- a/cmd/zrok/accessPrivate.go
+++ b/cmd/zrok/accessPrivate.go
@@ -28,9 +28,10 @@ func init() {
 }
 
 type accessPrivateCommand struct {
-	bindAddress string
-	headless    bool
-	cmd         *cobra.Command
+	bindAddress     string
+	headless        bool
+	responseHeaders []string
+	cmd             *cobra.Command
 }
 
 func newAccessPrivateCommand() *accessPrivateCommand {
@@ -41,8 +42,9 @@ func newAccessPrivateCommand() *accessPrivateCommand {
 	}
 	command := &accessPrivateCommand{cmd: cmd}
 	cmd.Flags().BoolVar(&command.headless, "headless", false, "Disable TUI and run headless")
-	cmd.Run = command.run
 	cmd.Flags().StringVarP(&command.bindAddress, "bind", "b", "127.0.0.1:9191", "The address to bind the private frontend")
+	cmd.Flags().StringArrayVar(&command.responseHeaders, "response-header", []string{}, "Add a response header ('key:value')")
+	cmd.Run = command.run
 	return command
 }
 
@@ -194,6 +196,7 @@ func (cmd *accessPrivateCommand) run(_ *cobra.Command, args []string) {
 		cfg := proxy.DefaultFrontendConfig(env.EnvironmentIdentityName())
 		cfg.ShrToken = shrToken
 		cfg.Address = cmd.bindAddress
+		cfg.ResponseHeaders = cmd.responseHeaders
 		cfg.RequestsChan = requests
 		fe, err := proxy.NewFrontend(cfg)
 		if err != nil {
diff --git a/endpoints/proxy/frontend.go b/endpoints/proxy/frontend.go
index 9660270e..f868f0aa 100644
--- a/endpoints/proxy/frontend.go
+++ b/endpoints/proxy/frontend.go
@@ -15,15 +15,17 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"strings"
 	"time"
 )
 
 type FrontendConfig struct {
-	IdentityName string
-	ShrToken     string
-	Address      string
-	Tls          *endpoints.TlsConfig
-	RequestsChan chan *endpoints.Request
+	IdentityName    string
+	ShrToken        string
+	Address         string
+	ResponseHeaders []string
+	Tls             *endpoints.TlsConfig
+	RequestsChan    chan *endpoints.Request
 }
 
 func DefaultFrontendConfig(identityName string) *FrontendConfig {
@@ -112,6 +114,14 @@ func newServiceProxy(cfg *FrontendConfig, ctx ziti.Context) (*httputil.ReversePr
 		req.Header.Set("X-Proxy", "zrok")
 	}
 	proxy.ModifyResponse = func(resp *http.Response) error {
+		for _, responseHeader := range cfg.ResponseHeaders {
+			tokens := strings.Split(responseHeader, ":")
+			if len(tokens) == 2 {
+				resp.Header.Set(strings.TrimSpace(tokens[0]), strings.TrimSpace(tokens[1]))
+			} else {
+				logrus.Errorf("invalid response header '%v' (expecting header:value", responseHeader)
+			}
+		}
 		return nil
 	}
 	proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {