diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 5cc99014b..df39ef60b 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -14,12 +14,12 @@ class Kernel extends HttpKernel
      * @var array
      */
     protected $middleware = [
+        \Illuminate\Http\Middleware\HandleCors::class,
         \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
         \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
+        \App\Http\Middleware\TrustProxies::class,
         \App\Http\Middleware\TrimStrings::class,
         \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
-        \App\Http\Middleware\TrustProxies::class,
-        \Illuminate\Http\Middleware\HandleCors::class,
     ];
 
     /**
diff --git a/config/cors.php b/config/cors.php
index 92b4b8e8c..1e81a015c 100644
--- a/config/cors.php
+++ b/config/cors.php
@@ -22,7 +22,9 @@ return [
      * Example: ['api/*']
      */
     'paths' => [
-        '.well-known/*'
+        '.well-known/*',
+        'api/*',
+        'oauth/*'
     ],
 
     /*
@@ -48,7 +50,8 @@ return [
     /*
      * Sets the Access-Control-Expose-Headers response header with these headers.
      */
-    'exposed_headers' => [],
+    // TODO: Add support for rate-limit related headers
+    'exposed_headers' => ['Link'],
 
     /*
      * Sets the Access-Control-Max-Age response header when > 0.
@@ -59,4 +62,4 @@ return [
      * Sets the Access-Control-Allow-Credentials header.
      */
     'supports_credentials' => false,
-];
\ No newline at end of file
+];