diff --git a/config-generator.conf b/config-generator.conf
index 6b4eefed8c..469ec00fec 100644
--- a/config-generator.conf
+++ b/config-generator.conf
@@ -12,6 +12,7 @@ namespace = heat.api.middleware.ssl
 namespace = heat.api.aws.ec2token
 namespace = keystonemiddleware.auth_token
 namespace = oslo.messaging
+namespace = oslo.middleware
 namespace = oslo.db
 namespace = oslo.log
 namespace = oslo.policy
diff --git a/etc/heat/api-paste.ini b/etc/heat/api-paste.ini
index e75c3a1247..7246e14df3 100644
--- a/etc/heat/api-paste.ini
+++ b/etc/heat/api-paste.ini
@@ -1,7 +1,7 @@
 
 # heat-api pipeline
 [pipeline:heat-api]
-pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app
+pipeline = cors request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app
 
 # heat-api pipeline for standalone heat
 # ie. uses alternative auth backend that authenticates users against keystone
@@ -12,7 +12,7 @@ pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authto
 #   flavor = standalone
 #
 [pipeline:heat-api-standalone]
-pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app
+pipeline = cors request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app
 
 # heat-api pipeline for custom cloud backends
 # i.e. in heat.conf:
@@ -20,25 +20,25 @@ pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword cont
 #   flavor = custombackend
 #
 [pipeline:heat-api-custombackend]
-pipeline = request_id faultwrap versionnegotiation context custombackendauth apiv1app
+pipeline = cors request_id faultwrap versionnegotiation context custombackendauth apiv1app
 
 # heat-api-cfn pipeline
 [pipeline:heat-api-cfn]
-pipeline = cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
+pipeline = cors cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
 
 # heat-api-cfn pipeline for standalone heat
 # relies exclusively on authenticating with ec2 signed requests
 [pipeline:heat-api-cfn-standalone]
-pipeline = cfnversionnegotiation ec2authtoken context apicfnv1app
+pipeline = cors cfnversionnegotiation ec2authtoken context apicfnv1app
 
 # heat-api-cloudwatch pipeline
 [pipeline:heat-api-cloudwatch]
-pipeline = versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
+pipeline = cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
 
 # heat-api-cloudwatch pipeline for standalone heat
 # relies exclusively on authenticating with ec2 signed requests
 [pipeline:heat-api-cloudwatch-standalone]
-pipeline = versionnegotiation ec2authtoken context apicwapp
+pipeline = cors versionnegotiation ec2authtoken context apicwapp
 
 [app:apiv1app]
 paste.app_factory = heat.common.wsgi:app_factory
@@ -56,6 +56,10 @@ heat.app_factory = heat.api.cloudwatch:API
 paste.filter_factory = heat.common.wsgi:filter_factory
 heat.filter_factory = heat.api.openstack:version_negotiation_filter
 
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = heat
+
 [filter:faultwrap]
 paste.filter_factory = heat.common.wsgi:filter_factory
 heat.filter_factory = heat.api.openstack:faultwrap_filter