diff --git a/doc/source/userdoc/advanced.configuration.guide.rst b/doc/source/userdoc/advanced.configuration.guide.rst
index e9fdda88..13c79bad 100644
--- a/doc/source/userdoc/advanced.configuration.guide.rst
+++ b/doc/source/userdoc/advanced.configuration.guide.rst
@@ -445,3 +445,35 @@ template, use the ``URL of NTP server`` setting in the ``General Parameters``
 section when you create the template. If you would like to disable NTP for a
 particular cluster template, deselect the ``Enable NTP service`` checkbox in
 the ``General Parameters`` section when you create the template.
+
+CORS (Cross Origin Resource Sharing) Configuration
+--------------------------------------------------
+
+Sahara provides direct API access to user-agents (browsers) via the HTTP
+CORS protocol. Detailed documentation, as well as troubleshooting examples,
+may be found in the OpenStack `Cloud Admin Guide`_.
+
+To get started quickly, use the example configuration block below, replacing
+the :code:`allowed origin` field with the host(s) from which your API expects
+access.
+
+.. sourcecode:: cfg
+
+    [cors]
+    allowed_origin=https://we.example.com:443
+    max_age=3600
+    allow_credentials=true
+
+    [cors.additional_domain_1]
+    allowed_origin=https://additional_domain_1.example.com:443
+
+    [cors.additional_domain_2]
+    allowed_origin=https://additional_domain_2.example.com:443
+
+..
+
+For more information on Cross Origin Resource Sharing, please review the `W3C
+CORS specification`_.
+
+.. _Cloud Admin Guide: http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html
+.. _W3C CORS specification: www.w3.org/TR/cors/
diff --git a/sahara/main.py b/sahara/main.py
index bdcf5ef4..69990f64 100644
--- a/sahara/main.py
+++ b/sahara/main.py
@@ -18,6 +18,7 @@ import os
 import flask
 from oslo_config import cfg
 from oslo_log import log
+import oslo_middleware.cors as cors_middleware
 from oslo_middleware import request_id
 from oslo_service import systemd
 import six
@@ -154,6 +155,15 @@ def make_app():
         LOG.debug('Logging of request/response exchange could be enabled using'
                   ' flag --log-exchange')
 
+    # Create a CORS wrapper, and attach sahara-specific defaults that must be
+    # included in all CORS responses.
+    app.wsgi_app = cors_middleware.CORS(app.wsgi_app, CONF)
+    app.wsgi_app.set_latent(
+        allow_headers=['X-Auth-Token', 'X-Server-Management-Url'],
+        allow_methods=['GET', 'PUT', 'POST', 'DELETE', 'PATCH'],
+        expose_headers=['X-Auth-Token', 'X-Server-Management-Url']
+    )
+
     if CONF.log_exchange:
         app.wsgi_app = log_exchange.LogExchange.factory(CONF)(app.wsgi_app)
 
diff --git a/tools/config/config-generator.sahara.conf b/tools/config/config-generator.sahara.conf
index a5939604..291154b9 100644
--- a/tools/config/config-generator.sahara.conf
+++ b/tools/config/config-generator.sahara.conf
@@ -8,3 +8,4 @@ namespace = oslo.log
 namespace = oslo.policy
 namespace = oslo.service.periodic_task
 namespace = oslo.service.sslutils
+namespace = oslo.middleware.cors
\ No newline at end of file