diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2bf647fe2..ea74640ee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [CalVer](https://calver.org/).
 
+## Unreleased
+### Fixed
+- Added `GC2-API-KEY` to `Access-Control-Allow-Headers` to remove an error when calling feature-api and more from CORS-strict clients such as browsers.
+
 ## [2025.7.0] - 2025-8-7
 ### Added
 - New v4 API `api/v4/sql/database/[database]` which can be used without a token.
diff --git a/public/index.php b/public/index.php
index b1c7628c1..3b0c6eeb0 100755
--- a/public/index.php
+++ b/public/index.php
@@ -131,7 +131,7 @@
 } elseif (isset(App::$param["AccessControlAllowOrigin"]) && App::$param["AccessControlAllowOrigin"][0] == "*") {
     header("Access-Control-Allow-Origin: *");
 }
-header("Access-Control-Allow-Headers: Origin, Content-Type, Authorization, X-Requested-With, Accept, Session, Cache-Control");
+header("Access-Control-Allow-Headers: Origin, Content-Type, Authorization, X-Requested-With, Accept, Session, Cache-Control, GC2-API-KEY");
 header("Access-Control-Allow-Credentials: true");
 header("Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD, OPTIONS");