diff --git a/etc/keystone-paste.ini b/etc/keystone-paste.ini
index bb7d20cc40..4f3b0a289c 100644
--- a/etc/keystone-paste.ini
+++ b/etc/keystone-paste.ini
@@ -23,9 +23,6 @@ use = egg:keystone#json_body
 [filter:cors]
 use = egg:oslo.middleware#cors
 oslo_config_project = keystone
-latent_allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Subject-Token, X-Project-Id, X-Project-Name, X-Project-Domain-Id, X-Project-Domain-Name, X-Domain-Id, X-Domain-Name
-latent_expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Subject-Token
-latent_allow_methods = GET, PUT, POST, DELETE, PATCH
 
 [filter:ec2_extension]
 use = egg:keystone#ec2_extension
diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample
index 985a081365..ff62577033 100644
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@@ -470,17 +470,17 @@
 
 # Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
 # Headers. (list value)
-#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
 
 # Maximum cache age of CORS preflight requests. (integer value)
 #max_age = 3600
 
 # Indicate which methods can be used during the actual request. (list value)
-#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+#allow_methods = GET,PUT,POST,DELETE,PATCH
 
 # Indicate which header field names may be used during the actual request.
 # (list value)
-#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
 
 
 [cors.subdomain]
@@ -498,17 +498,17 @@
 
 # Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
 # Headers. (list value)
-#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
 
 # Maximum cache age of CORS preflight requests. (integer value)
 #max_age = 3600
 
 # Indicate which methods can be used during the actual request. (list value)
-#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+#allow_methods = GET,PUT,POST,DELETE,PATCH
 
 # Indicate which header field names may be used during the actual request.
 # (list value)
-#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
 
 
 [credential]
diff --git a/keystone/common/config.py b/keystone/common/config.py
index 8b42f4e69f..f21d460dde 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -19,6 +19,7 @@ from oslo_cache import core as cache
 from oslo_config import cfg
 from oslo_log import log
 import oslo_messaging
+from oslo_middleware import cors
 import passlib.utils
 
 from keystone import exception
@@ -1225,3 +1226,28 @@ def list_opts():
     :returns: a list of (group_name, opts) tuples
     """
     return list(FILE_OPTIONS.items())
+
+
+def set_middleware_defaults():
+    """Update default configuration options for oslo.middleware."""
+    # CORS Defaults
+    # TODO(krotscheck): Update with https://review.openstack.org/#/c/285368/
+    cfg.set_defaults(cors.CORS_OPTS,
+                     allow_headers=['X-Auth-Token',
+                                    'X-Openstack-Request-Id',
+                                    'X-Subject-Token',
+                                    'X-Project-Id',
+                                    'X-Project-Name',
+                                    'X-Project-Domain-Id',
+                                    'X-Project-Domain-Name',
+                                    'X-Domain-Id',
+                                    'X-Domain-Name'],
+                     expose_headers=['X-Auth-Token',
+                                     'X-Openstack-Request-Id',
+                                     'X-Subject-Token'],
+                     allow_methods=['GET',
+                                    'PUT',
+                                    'POST',
+                                    'DELETE',
+                                    'PATCH']
+                     )
diff --git a/keystone/server/common.py b/keystone/server/common.py
index 76e9f9e9ad..7b56ab4331 100644
--- a/keystone/server/common.py
+++ b/keystone/server/common.py
@@ -31,6 +31,7 @@ def configure(version=None, config_files=None,
     config.configure()
     sql.initialize()
     config.set_default_for_default_log_levels()
+    config.set_middleware_defaults()
 
     CONF(project='keystone', version=version,
          default_config_files=config_files)
diff --git a/setup.cfg b/setup.cfg
index fa00b31a56..708c3763ae 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -175,6 +175,9 @@ oslo.config.opts =
     keystone = keystone.common.config:list_opts
     keystone.notifications = keystone.notifications:list_opts
 
+oslo.config.opts.defaults =
+    oslo.middleware = keystone.common.config:set_middleware_defaults
+
 paste.filter_factory =
     admin_token_auth = keystone.middleware:AdminTokenAuthMiddleware.factory
     build_auth_context = keystone.middleware:AuthContextMiddleware.factory