diff --git a/app/Foundation/Providers/RouteServiceProvider.php b/app/Foundation/Providers/RouteServiceProvider.php
index 9a17c2a6ec44..45c01a5d2b34 100644
--- a/app/Foundation/Providers/RouteServiceProvider.php
+++ b/app/Foundation/Providers/RouteServiceProvider.php
@@ -11,10 +11,10 @@
 
 namespace CachetHQ\Cachet\Foundation\Providers;
 
-use Barryvdh\Cors\HandleCors;
 use CachetHQ\Cachet\Http\Middleware\Acceptable;
 use CachetHQ\Cachet\Http\Middleware\Authenticate;
 use CachetHQ\Cachet\Http\Middleware\Timezone;
+use CachetHQ\Cachet\Http\Middleware\VerifyCsrfToken;
 use CachetHQ\Cachet\Http\Routes\ApiSystemRoutes;
 use CachetHQ\Cachet\Http\Routes\AuthRoutes;
 use CachetHQ\Cachet\Http\Routes\Setup\ApiRoutes as ApiSetupRoutes;
@@ -22,7 +22,6 @@
 use CachetHQ\Cachet\Http\Routes\SignupRoutes;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
 use Illuminate\Cookie\Middleware\EncryptCookies;
-use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
 use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
 use Illuminate\Routing\Middleware\SubstituteBindings;
 use Illuminate\Routing\Router;
@@ -171,7 +170,6 @@ protected function mapForBrowser(Router $router, $routes, $applyAlwaysAuthentica
     protected function mapOtherwise(Router $router, $routes, $applyAlwaysAuthenticate)
     {
         $middleware = [
-            HandleCors::class,
             SubstituteBindings::class,
             Acceptable::class,
             Timezone::class,
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 775f4691803d..c0079a833167 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -12,6 +12,7 @@
 namespace CachetHQ\Cachet\Http;
 
 use AltThree\Throttle\ThrottlingMiddleware;
+use Barryvdh\Cors\HandleCors;
 use CachetHQ\Cachet\Http\Middleware\Admin;
 use CachetHQ\Cachet\Http\Middleware\ApiAuthentication;
 use CachetHQ\Cachet\Http\Middleware\Authenticate;
@@ -33,8 +34,8 @@ class Kernel extends HttpKernel
      * @var array
      */
     protected $middleware = [
-        TrustProxies::class,
-        CheckForMaintenanceMode::class,
+        // TrustProxies::class,
+        // CheckForMaintenanceMode::class,
     ];
 
     /**
@@ -45,6 +46,7 @@ class Kernel extends HttpKernel
     protected $routeMiddleware = [
         'admin'       => Admin::class,
         'can'         => Authorize::class,
+        'cors'        => HandleCors::class,
         'auth'        => Authenticate::class,
         'auth.api'    => ApiAuthentication::class,
         'guest'       => RedirectIfAuthenticated::class,
diff --git a/app/Http/Middleware/VerifyCsrfToken.php b/app/Http/Middleware/VerifyCsrfToken.php
new file mode 100644
index 000000000000..03736d466662
--- /dev/null
+++ b/app/Http/Middleware/VerifyCsrfToken.php
@@ -0,0 +1,33 @@
+<?php
+
+/*
+ * This file is part of Cachet.
+ *
+ * (c) Alt Three Services Limited
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace CachetHQ\Cachet\Http\Middleware;
+
+use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
+
+class VerifyCsrfToken extends Middleware
+{
+    /**
+     * Indicates whether the XSRF-TOKEN cookie should be set on the response.
+     *
+     * @var bool
+     */
+    protected $addHttpCookie = true;
+
+    /**
+     * The URIs that should be excluded from CSRF verification.
+     *
+     * @var array
+     */
+    protected $except = [
+        '/api/*',
+    ];
+}
diff --git a/app/Http/Routes/ApiRoutes.php b/app/Http/Routes/ApiRoutes.php
index 2db792595e97..b56902d3635b 100644
--- a/app/Http/Routes/ApiRoutes.php
+++ b/app/Http/Routes/ApiRoutes.php
@@ -40,7 +40,7 @@ public function map(Registrar $router)
             'namespace'  => 'Api',
             'prefix'     => 'api/v1',
         ], function (Registrar $router) {
-            $router->group(['middleware' => ['auth.api']], function (Registrar $router) {
+            $router->group(['middleware' => ['auth.api', 'cors']], function (Registrar $router) {
                 $router->get('components', 'ComponentController@index');
                 $router->get('components/groups', 'ComponentGroupController@index');
                 $router->get('components/groups/{component_group}', 'ComponentGroupController@show');
diff --git a/config/cors.php b/config/cors.php
index fb12f8c9df49..6e843598bebd 100644
--- a/config/cors.php
+++ b/config/cors.php
@@ -10,6 +10,7 @@
  */
 
 return [
+
     /*
      |--------------------------------------------------------------------------
      | Laravel CORS
@@ -19,11 +20,13 @@
      | to accept any value.
      |
      */
-    'supportsCredentials' => false,
-    'allowedOrigins'      => ['*'],
-    'allowedHeaders'      => ['X-Cachet-Token'],
-    'allowedMethods'      => ['*'],
-    'exposedHeaders'      => [],
-    'maxAge'              => 3600,
-    'hosts'               => [],
+
+    'supportsCredentials'    => false,
+    'allowedOrigins'         => ['*'],
+    'allowedOriginsPatterns' => [],
+    'allowedHeaders'         => ['X-Cachet-Token'],
+    'allowedMethods'         => ['*'],
+    'exposedHeaders'         => [],
+    'maxAge'                 => 3600,
+
 ];