diff --git a/changelogs/client_server/newsfragments/1995.feature b/changelogs/client_server/newsfragments/1995.feature
new file mode 100644
index 00000000..248ca0e3
--- /dev/null
+++ b/changelogs/client_server/newsfragments/1995.feature
@@ -0,0 +1 @@
+Add `PATCH` and `HEAD` to the allowed HTTP methods in CORS responses, as per [MSC4138](https://github.com/matrix-org/matrix-spec-proposals/pull/4138).
diff --git a/content/client-server-api/_index.md b/content/client-server-api/_index.md
index 389ff927..66ca6316 100644
--- a/content/client-server-api/_index.md
+++ b/content/client-server-api/_index.md
@@ -314,9 +314,12 @@ respond with the CORS headers for that route. The recommended CORS
 headers to be returned by servers on all requests are:
 
     Access-Control-Allow-Origin: *
-    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
+    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD
     Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization
 
+{{% changed-in v="1.13" %}} `PATCH` and `HEAD` were added to the list for the
+`Access-Control-Allow-Methods` header.
+
 ## Server Discovery
 
 In order to allow users to connect to a Matrix server without needing to