diff --git a/core/server/server.js b/core/server/server.js
index aefe9f9ce1195e41c07a94e0d0a336965daa6a37..d957f97e0455c9302959141b9b3c5b82c1a07733 100644
--- a/core/server/server.js
+++ b/core/server/server.js
@@ -323,6 +323,12 @@ class Server {
     const { apiProvider: githubApiProvider } = this.githubConstellation
     suggest.setRoutes(allowedOrigin, githubApiProvider, camp)
 
+    // https://github.com/badges/shields/issues/3273
+    camp.handle((req, res, next) => {
+      res.setHeader('Access-Control-Allow-Origin', '*')
+      next()
+    })
+
     this.registerErrorHandlers()
     this.registerRedirects()
     this.registerServices()
diff --git a/core/server/server.spec.js b/core/server/server.spec.js
index 53acc855bc9e6c49363e67f9352aa92be0a54051..929f3bc6f7114922e165233f2f67da47a227a0ac 100644
--- a/core/server/server.spec.js
+++ b/core/server/server.spec.js
@@ -151,4 +151,10 @@ describe('The server', function() {
       .and.to.include('410')
       .and.to.include('jpg no longer available')
   })
+
+  it('should return cors header for the request', async function() {
+    const { statusCode, headers } = await got(`${baseUrl}npm/v/express.svg`)
+    expect(statusCode).to.equal(200)
+    expect(headers['access-control-allow-origin']).to.equal('*')
+  })
 })