diff --git a/barbican/common/config.py b/barbican/common/config.py
index b78323d8d..62fbbc09e 100644
--- a/barbican/common/config.py
+++ b/barbican/common/config.py
@@ -22,6 +22,7 @@ import os
 
 from oslo_config import cfg
 from oslo_log import log
+from oslo_middleware import cors
 from oslo_service import _options
 
 from barbican import i18n as u
@@ -199,6 +200,10 @@ def new_config():
     conf.register_group(quota_opt_group)
     conf.register_opts(quota_opts, group=quota_opt_group)
 
+    # Update default values from libraries that carry their own oslo.config
+    # initialization and configuration.
+    set_middleware_defaults()
+
     return conf
 
 
@@ -223,6 +228,39 @@ def setup_remote_pydev_debug():
                           CONF.pydev_debug_host, CONF.pydev_debug_port)
             raise
 
+
+def set_middleware_defaults():
+    """Update default configuration options for oslo.middleware."""
+    # CORS Defaults
+    # TODO(krotscheck): Update with https://review.openstack.org/#/c/285368/
+    cfg.set_defaults(cors.CORS_OPTS,
+                     allow_headers=['X-Auth-Token',
+                                    'X-Openstack-Request-Id',
+                                    'X-Project-Id',
+                                    'X-Identity-Status',
+                                    'X-User-Id',
+                                    'X-Storage-Token',
+                                    'X-Domain-Id',
+                                    'X-User-Domain-Id',
+                                    'X-Project-Domain-Id',
+                                    'X-Roles'],
+                     expose_headers=['X-Auth-Token',
+                                     'X-Openstack-Request-Id',
+                                     'X-Project-Id',
+                                     'X-Identity-Status',
+                                     'X-User-Id',
+                                     'X-Storage-Token',
+                                     'X-Domain-Id',
+                                     'X-User-Domain-Id',
+                                     'X-Project-Domain-Id',
+                                     'X-Roles'],
+                     allow_methods=['GET',
+                                    'PUT',
+                                    'POST',
+                                    'DELETE',
+                                    'PATCH']
+                     )
+
 CONF = new_config()
 LOG = logging.getLogger(__name__)
 parse_args(CONF)
diff --git a/etc/barbican/barbican-api-paste.ini b/etc/barbican/barbican-api-paste.ini
index 6ecbd425d..f039a75ca 100644
--- a/etc/barbican/barbican-api-paste.ini
+++ b/etc/barbican/barbican-api-paste.ini
@@ -71,6 +71,3 @@ unwind = false
 [filter:cors]
 paste.filter_factory = oslo_middleware.cors:filter_factory
 oslo_config_project = barbican
-latent_allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
-latent_expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
-latent_allow_methods = GET, PUT, POST, DELETE, PATCH
diff --git a/etc/barbican/barbican.conf b/etc/barbican/barbican.conf
index dc9b03efd..58d5e5e98 100644
--- a/etc/barbican/barbican.conf
+++ b/etc/barbican/barbican.conf
@@ -337,18 +337,18 @@ subca_cert_key_directory=/etc/barbican/snakeoil-cas
 
 # Indicate which headers are safe to expose to the API. Defaults to
 # HTTP Simple Headers. (list value)
-#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+#expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
 
 # Maximum cache age of CORS preflight requests. (integer value)
 #max_age = 3600
 
 # Indicate which methods can be used during the actual request. (list
 # value)
-#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+#allow_methods = GET,PUT,POST,DELETE,PATCH
 
 # Indicate which header field names may be used during the actual
 # request. (list value)
-#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+#allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
 
 
 [cors.subdomain]
@@ -367,15 +367,15 @@ subca_cert_key_directory=/etc/barbican/snakeoil-cas
 
 # Indicate which headers are safe to expose to the API. Defaults to
 # HTTP Simple Headers. (list value)
-#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+#expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
 
 # Maximum cache age of CORS preflight requests. (integer value)
 #max_age = 3600
 
 # Indicate which methods can be used during the actual request. (list
 # value)
-#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+#allow_methods = GET,PUT,POST,DELETE,PATCH
 
 # Indicate which header field names may be used during the actual
 # request. (list value)
-#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+#allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles