diff --git a/app/views/entries/_results.html.erb b/app/views/entries/_results.html.erb
index b360922..e4fcea3 100644
--- a/app/views/entries/_results.html.erb
+++ b/app/views/entries/_results.html.erb
@@ -86,7 +86,7 @@
     </div>
 
     <div class="flex items-center justify-between mt-4 text-sm text-slate-600">
-      <div><%= pagy_info(@pagy) %></div>
+      <div><%= pagy_info(@pagy).html_safe %></div>
       <div class="flex items-center gap-2">
         <%
           pagination_params = { q: @query.presence, category: @category.presence, language: @language_code.presence, starts_with: @starts_with.presence }.compact
diff --git a/test/integration/cors_preflight_test.rb b/test/integration/cors_preflight_test.rb
new file mode 100644
index 0000000..9921728
--- /dev/null
+++ b/test/integration/cors_preflight_test.rb
@@ -0,0 +1,30 @@
+require "test_helper"
+
+class CorsPreflightTest < ActionDispatch::IntegrationTest
+  setup do
+    @origin = "http://localhost:5173"
+    @app_id = "app.sanasto"
+  end
+
+  test "options preflight returns cors headers when app header is requested" do
+    options "/api/entries", headers: {
+      "Origin" => @origin,
+      "Access-Control-Request-Method" => "GET",
+      "Access-Control-Request-Headers" => "x-sanasto-app"
+    }
+
+    assert_response :no_content
+    assert_equal @origin, response.headers["Access-Control-Allow-Origin"]
+    assert_includes response.headers["Access-Control-Allow-Headers"], "x-sanasto-app"
+  end
+
+  test "get includes cors headers when app id is provided" do
+    get "/api/entries", headers: {
+      "Origin" => @origin,
+      "X-Sanasto-App" => @app_id
+    }
+
+    assert_response :success
+    assert_equal @origin, response.headers["Access-Control-Allow-Origin"]
+  end
+end
diff --git a/test/middleware/sanasto_cors_test.rb b/test/middleware/sanasto_cors_test.rb
new file mode 100644
index 0000000..922026e
--- /dev/null
+++ b/test/middleware/sanasto_cors_test.rb
@@ -0,0 +1,55 @@
+require "test_helper"
+
+class SanastoCorsTest < ActiveSupport::TestCase
+  def setup
+    @app = ->(_env) { [ 200, {}, [ "ok" ] ] }
+    @middleware = Middleware::SanastoCors.new(@app)
+    @origin = "http://localhost:5173"
+    @app_id = "app.sanasto"
+  end
+
+  test "adds cors headers for allowed get requests" do
+    env = Rack::MockRequest.env_for(
+      "/api/entries",
+      method: "GET",
+      "HTTP_ORIGIN" => @origin,
+      "HTTP_X_SANASTO_APP" => @app_id
+    )
+
+    status, headers, _body = @middleware.call(env)
+
+    assert_equal 200, status
+    assert_equal @origin, headers["Access-Control-Allow-Origin"]
+    assert_includes headers["Access-Control-Allow-Headers"], "X-Sanasto-App"
+  end
+
+  test "returns preflight response with cors headers when app header is requested" do
+    env = Rack::MockRequest.env_for(
+      "/api/entries",
+      method: "OPTIONS",
+      "HTTP_ORIGIN" => @origin,
+      "HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET",
+      "HTTP_ACCESS_CONTROL_REQUEST_HEADERS" => "x-sanasto-app"
+    )
+
+    status, headers, _body = @middleware.call(env)
+
+    assert_equal 204, status
+    assert_equal @origin, headers["Access-Control-Allow-Origin"]
+    assert_includes headers["Access-Control-Allow-Headers"], "x-sanasto-app"
+    assert_includes headers["Vary"], "Access-Control-Request-Headers"
+  end
+
+  test "does not add cors headers when app id is missing" do
+    env = Rack::MockRequest.env_for(
+      "/api/entries",
+      method: "GET",
+      "HTTP_ORIGIN" => @origin
+    )
+
+    status, headers, _body = @middleware.call(env)
+
+    assert_equal 200, status
+    assert_nil headers["Access-Control-Allow-Origin"]
+  end
+end