diff --git a/aodh/tests/functional/gabbi/fixtures.py b/aodh/tests/functional/gabbi/fixtures.py
index c13f62622..cfa91f27d 100644
--- a/aodh/tests/functional/gabbi/fixtures.py
+++ b/aodh/tests/functional/gabbi/fixtures.py
@@ -21,6 +21,7 @@ import uuid
 
 from gabbi import fixture
 import mock
+from oslo_config import cfg
 from oslo_config import fixture as fixture_config
 from oslo_policy import opts
 from six.moves.urllib import parse as urlparse
@@ -95,3 +96,24 @@ class ConfigFixture(fixture.GabbiFixture):
             storage.get_connection_from_config(self.conf).clear()
             self.conf.reset()
         service.prepare_service = self.prepare_service
+
+
+class CORSConfigFixture(fixture.GabbiFixture):
+    """Inject mock configuration for the CORS middleware."""
+
+    def start_fixture(self):
+        # Here we monkeypatch GroupAttr.__getattr__, necessary because the
+        # paste.ini method of initializing this middleware creates its own
+        # ConfigOpts instance, bypassing the regular config fixture.
+
+        def _mock_getattr(instance, key):
+            if key != 'allowed_origin':
+                return self._original_call_method(instance, key)
+            return "http://valid.example.com"
+
+        self._original_call_method = cfg.ConfigOpts.GroupAttr.__getattr__
+        cfg.ConfigOpts.GroupAttr.__getattr__ = _mock_getattr
+
+    def stop_fixture(self):
+        """Remove the monkeypatch."""
+        cfg.ConfigOpts.GroupAttr.__getattr__ = self._original_call_method
diff --git a/aodh/tests/functional/gabbi/gabbi_paste.ini b/aodh/tests/functional/gabbi/gabbi_paste.ini
index e54456db7..c4034ee14 100644
--- a/aodh/tests/functional/gabbi/gabbi_paste.ini
+++ b/aodh/tests/functional/gabbi/gabbi_paste.ini
@@ -8,10 +8,17 @@
 
 # Remove authtoken from the pipeline if you don't want to use keystone authentication
 [pipeline:main]
-pipeline = request_id api-server
+pipeline = cors request_id api-server
 
 [app:api-server]
 paste.app_factory = aodh.api.app:app_factory
 
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = aodh
+latent_allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Subject-Token
+latent_expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Subject-Token
+latent_allow_methods = GET, PUT, POST, DELETE, PATCH
diff --git a/aodh/tests/functional/gabbi/gabbits/middleware.yaml b/aodh/tests/functional/gabbi/gabbits/middleware.yaml
new file mode 100644
index 000000000..3d2204833
--- /dev/null
+++ b/aodh/tests/functional/gabbi/gabbits/middleware.yaml
@@ -0,0 +1,44 @@
+#
+# Test the middlewares. Just CORS for now.
+#
+
+fixtures:
+    - ConfigFixture
+    - CORSConfigFixture
+
+tests:
+
+    - name: valid cors options
+      OPTIONS: /
+      status: 200
+      request_headers:
+          origin: http://valid.example.com
+          access-control-request-method: GET
+      response_headers:
+          access-control-allow-origin: http://valid.example.com
+
+    - name: invalid cors options
+      OPTIONS: /
+      status: 200
+      request_headers:
+          origin: http://invalid.example.com
+          access-control-request-method: GET
+      response_forbidden_headers:
+          - access-control-allow-origin
+
+    - name: valid cors get
+      GET: /
+      status: 200
+      request_headers:
+          origin: http://valid.example.com
+          access-control-request-method: GET
+      response_headers:
+          access-control-allow-origin: http://valid.example.com
+
+    - name: invalid cors get
+      GET: /
+      status: 200
+      request_headers:
+          origin: http://invalid.example.com
+      response_forbidden_headers:
+          - access-control-allow-origin
diff --git a/etc/aodh/aodh-config-generator.conf b/etc/aodh/aodh-config-generator.conf
index 48155071a..c2f6f4557 100644
--- a/etc/aodh/aodh-config-generator.conf
+++ b/etc/aodh/aodh-config-generator.conf
@@ -6,6 +6,7 @@ namespace = aodh-auth
 namespace = oslo.db
 namespace = oslo.log
 namespace = oslo.messaging
+namespace = oslo.middleware.cors
 namespace = oslo.policy
 namespace = oslo.service.service
 namespace = keystonemiddleware.auth_token
diff --git a/etc/aodh/api_paste.ini b/etc/aodh/api_paste.ini
index 2bfb28b67..fc58aa67f 100644
--- a/etc/aodh/api_paste.ini
+++ b/etc/aodh/api_paste.ini
@@ -5,7 +5,7 @@
 
 # Remove authtoken from the pipeline if you don't want to use keystone authentication
 [pipeline:main]
-pipeline = request_id authtoken api-server
+pipeline = cors request_id authtoken api-server
 
 [app:api-server]
 paste.app_factory = aodh.api.app:app_factory
@@ -17,3 +17,9 @@ oslo_config_project = aodh
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
 
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = aodh
+latent_allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Subject-Token
+latent_expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Subject-Token
+latent_allow_methods = GET, PUT, POST, DELETE, PATCH
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
index d50df65de..233ab892a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -19,7 +19,7 @@ PasteDeploy>=1.5.0
 pbr<2.0,>=0.11
 pecan>=0.8.0
 oslo.messaging>2.6.1,!=2.8.0 # Apache-2.0
-oslo.middleware!=2.0.0,>=1.2.0 # Apache-2.0
+oslo.middleware>=3.0.0 # Apache-2.0
 oslo.serialization>=1.4.0 # Apache-2.0
 oslo.utils>=1.9.0 # Apache-2.0
 python-ceilometerclient>=1.5.0