diff --git a/backend/app/main.py b/backend/app/main.py
index 9a95801e74..9fd1422395 100644
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -20,6 +20,12 @@ def custom_generate_unique_id(route: APIRoute) -> str:
     generate_unique_id_function=custom_generate_unique_id,
 )
 
+
+@app.get("/healthz", include_in_schema=False)
+def healthz() -> dict[str, str]:
+    return {"status": "ok"}
+
+
 # Set all CORS enabled origins
 if settings.all_cors_origins:
     app.add_middleware(
diff --git a/backend/tests/api/routes/test_healthz.py b/backend/tests/api/routes/test_healthz.py
new file mode 100644
index 0000000000..d15feeec6f
--- /dev/null
+++ b/backend/tests/api/routes/test_healthz.py
@@ -0,0 +1,19 @@
+from fastapi.testclient import TestClient
+
+from app.core.config import settings
+
+
+def test_healthz(client: TestClient) -> None:
+    response = client.get("/healthz")
+    assert response.status_code == 200
+    assert response.json() == {"status": "ok"}
+
+
+def test_cors_allows_configured_origin(client: TestClient) -> None:
+    response = client.get("/healthz", headers={"Origin": settings.FRONTEND_HOST})
+    assert response.headers.get("access-control-allow-origin") == settings.FRONTEND_HOST
+
+
+def test_cors_blocks_unknown_origin(client: TestClient) -> None:
+    response = client.get("/healthz", headers={"Origin": "https://unknown.example"})
+    assert "access-control-allow-origin" not in response.headers