diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml
index 610f5bb8d5..68af227f65 100644
--- a/.github/workflows/smoke.yml
+++ b/.github/workflows/smoke.yml
@@ -31,9 +31,12 @@ jobs:
       - name: Display comet logs
         if: always()
         run: cat deployments/logs/comet.log
-      - name: Display pd logs
+      - name: Display pd runtime logs
         if: always()
         run: cat deployments/logs/pd.log
+      - name: Display pd test logs
+        if: always()
+        run: cat deployments/logs/pd-tests.log
       - name: Display pclientd logs
         if: always()
         run: cat deployments/logs/pclientd.log
diff --git a/crates/bin/pd/src/main.rs b/crates/bin/pd/src/main.rs
index 86417dedb8..2db2c0e0b8 100644
--- a/crates/bin/pd/src/main.rs
+++ b/crates/bin/pd/src/main.rs
@@ -168,11 +168,6 @@ async fn main() -> anyhow::Result<()> {
             use penumbra_shielded_pool::component::rpc::Server as ShieldedPoolServer;
             use penumbra_stake::component::rpc::Server as StakeServer;
 
-            // Set rather permissive CORS headers for pd's gRPC: the service
-            // should be accessible from arbitrary web contexts, such as localhost,
-            // or any FQDN that wants to reference its data.
-            let cors_layer = CorsLayer::permissive();
-
             let mut grpc_server = Server::builder()
                 .trace_fn(|req| match remote_addr(req) {
                     Some(remote_addr) => {
@@ -185,9 +180,6 @@ async fn main() -> anyhow::Result<()> {
                 // typically uses HTTP/2, which requires HTTPS. Accepting HTTP/2
                 // allows local applications such as web browsers to talk to pd.
                 .accept_http1(true)
-                // Add permissive CORS headers, so pd's gRPC services are accessible
-                // from arbitrary web contexts, including from localhost.
-                .layer(cors_layer)
                 // As part of #2932, we are disabling all timeouts until we circle back to our
                 // performance story.
                 // Sets a timeout for all gRPC requests, but note that in the case of streaming
@@ -242,7 +234,13 @@ async fn main() -> anyhow::Result<()> {
             //
             // TODO(kate): this is where we may attach additional routes upon this router in the
             // future. see #3646 for more information.
-            let router = grpc_server.into_router();
+            let router = grpc_server
+                .into_router()
+                // Set rather permissive CORS headers for pd's gRPC: the service
+                // should be accessible from arbitrary web contexts, such as localhost,
+                // or any FQDN that wants to reference its data.
+                .layer(CorsLayer::permissive());
+
             let make_svc = router.into_make_service();
 
             // Now start the GRPC server, initializing an ACME client to use as a certificate
diff --git a/crates/bin/pd/tests/network_integration.rs b/crates/bin/pd/tests/network_integration.rs
new file mode 100644
index 0000000000..1739a7ad3b
--- /dev/null
+++ b/crates/bin/pd/tests/network_integration.rs
@@ -0,0 +1,23 @@
+//! Basic integration testing for pd.
+//!
+//! Validates behavior of the pd binary itself, such as serving specific HTTP
+//! headers in all contexts. Does NOT evaluate application logic; see the
+//! integration tests for pcli/pclientd for that.
+
+#[ignore]
+#[tokio::test]
+/// Confirm that permissive CORS headers are returned in HTTP responses
+/// by pd. We want these headers to be served directly by pd, so that
+/// an intermediate reverse-proxy is not required.
+async fn check_cors_headers() -> anyhow::Result<()> {
+    let client = reqwest::Client::new();
+    let pd_url =
+        std::env::var("PENUMBRA_NODE_PD_URL").unwrap_or("http://localhost:8080".to_string());
+    let r = client.get(pd_url).send().await?;
+    assert_eq!(r.headers().get("access-control-allow-origin").unwrap(), "*");
+    assert_eq!(
+        r.headers().get("access-control-expose-headers").unwrap(),
+        "*"
+    );
+    Ok(())
+}
diff --git a/deployments/scripts/smoke-test.sh b/deployments/scripts/smoke-test.sh
index 56be8bf2fd..ac75a8acc8 100755
--- a/deployments/scripts/smoke-test.sh
+++ b/deployments/scripts/smoke-test.sh
@@ -64,6 +64,9 @@ trap 'kill -9 "$cometbft_pid" "$pd_pid"' EXIT
 echo "Waiting $TESTNET_BOOTTIME seconds for network to boot..."
 sleep "$TESTNET_BOOTTIME"
 
+echo "Running pd integration tests against running pd binary"
+    cargo test --release --package pd -- --ignored --test-threads 1 --nocapture | tee "${SMOKE_LOG_DIR}/pd-tests.log"
+
 echo "Running pclientd integration tests against network"
 PENUMBRA_NODE_PD_URL="http://127.0.0.1:8080" \
     PCLI_UNLEASH_DANGER="yes" \