diff --git a/module/Rest/src/Middleware/CrossDomainMiddleware.php b/module/Rest/src/Middleware/CrossDomainMiddleware.php
index 88d62904..b438f7ec 100644
--- a/module/Rest/src/Middleware/CrossDomainMiddleware.php
+++ b/module/Rest/src/Middleware/CrossDomainMiddleware.php
@@ -32,8 +32,7 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
         }
 
         // Add Allow-Origin header
-        $response = $response->withHeader('Access-Control-Allow-Origin', $request->getHeader('Origin'))
-                             ->withHeader('Access-Control-Expose-Headers', AuthenticationMiddleware::API_KEY_HEADER);
+        $response = $response->withHeader('Access-Control-Allow-Origin', $request->getHeader('Origin'));
         if ($request->getMethod() !== self::METHOD_OPTIONS) {
             return $response;
         }
@@ -43,6 +42,8 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
 
     private function addOptionsHeaders(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
     {
+        // TODO This won't work. The route has to be matched from the router as this middleware needs to be executed
+        //      before trying to match the route
         /** @var RouteResult|null $matchedRoute */
         $matchedRoute = $request->getAttribute(RouteResult::class);
         $matchedMethods = $matchedRoute !== null ? $matchedRoute->getAllowedMethods() : [
@@ -55,8 +56,8 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
         ];
         $corsHeaders = [
             'Access-Control-Allow-Methods' => implode(',', $matchedMethods),
-            'Access-Control-Max-Age' => $this->config['max_age'],
             'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'),
+            'Access-Control-Max-Age' => $this->config['max_age'],
         ];
 
         // Options requests should always be empty and have a 204 status code
diff --git a/module/Rest/test-api/Middleware/CorsTest.php b/module/Rest/test-api/Middleware/CorsTest.php
index 4e060352..a1ca9901 100644
--- a/module/Rest/test-api/Middleware/CorsTest.php
+++ b/module/Rest/test-api/Middleware/CorsTest.php
@@ -16,7 +16,6 @@ class CorsTest extends ApiTestCase
 
         self::assertEquals(200, $resp->getStatusCode());
         self::assertFalse($resp->hasHeader('Access-Control-Allow-Origin'));
-        self::assertFalse($resp->hasHeader('Access-Control-Expose-Headers'));
         self::assertFalse($resp->hasHeader('Access-Control-Allow-Methods'));
         self::assertFalse($resp->hasHeader('Access-Control-Max-Age'));
         self::assertFalse($resp->hasHeader('Access-Control-Allow-Headers'));
@@ -37,7 +36,6 @@ class CorsTest extends ApiTestCase
 
         self::assertEquals($expectedStatusCode, $resp->getStatusCode());
         self::assertEquals($origin, $resp->getHeaderLine('Access-Control-Allow-Origin'));
-        self::assertEquals('X-Api-Key', $resp->getHeaderLine('Access-Control-Expose-Headers'));
         self::assertFalse($resp->hasHeader('Access-Control-Allow-Methods'));
         self::assertFalse($resp->hasHeader('Access-Control-Max-Age'));
         self::assertFalse($resp->hasHeader('Access-Control-Allow-Headers'));
@@ -66,7 +64,6 @@ class CorsTest extends ApiTestCase
 
         self::assertEquals(204, $resp->getStatusCode());
         self::assertTrue($resp->hasHeader('Access-Control-Allow-Origin'));
-        self::assertTrue($resp->hasHeader('Access-Control-Expose-Headers'));
         self::assertTrue($resp->hasHeader('Access-Control-Max-Age'));
         self::assertEquals($expectedAllowedMethods, $resp->getHeaderLine('Access-Control-Allow-Methods'));
         self::assertEquals($allowedHeaders, $resp->getHeaderLine('Access-Control-Allow-Headers'));
diff --git a/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php b/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php
index 72e95a36..907fb678 100644
--- a/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php
+++ b/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php
@@ -42,7 +42,6 @@ class CrossDomainMiddlewareTest extends TestCase
         self::assertSame($originalResponse, $response);
         self::assertEquals(404, $response->getStatusCode());
         self::assertArrayNotHasKey('Access-Control-Allow-Origin', $headers);
-        self::assertArrayNotHasKey('Access-Control-Expose-Headers', $headers);
         self::assertArrayNotHasKey('Access-Control-Allow-Methods', $headers);
         self::assertArrayNotHasKey('Access-Control-Max-Age', $headers);
         self::assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);
@@ -63,7 +62,6 @@ class CrossDomainMiddlewareTest extends TestCase
         $headers = $response->getHeaders();
 
         self::assertEquals('local', $response->getHeaderLine('Access-Control-Allow-Origin'));
-        self::assertEquals('X-Api-Key', $response->getHeaderLine('Access-Control-Expose-Headers'));
         self::assertArrayNotHasKey('Access-Control-Allow-Methods', $headers);
         self::assertArrayNotHasKey('Access-Control-Max-Age', $headers);
         self::assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);
@@ -85,7 +83,6 @@ class CrossDomainMiddlewareTest extends TestCase
         $headers = $response->getHeaders();
 
         self::assertEquals('local', $response->getHeaderLine('Access-Control-Allow-Origin'));
-        self::assertEquals('X-Api-Key', $response->getHeaderLine('Access-Control-Expose-Headers'));
         self::assertArrayHasKey('Access-Control-Allow-Methods', $headers);
         self::assertEquals('1000', $response->getHeaderLine('Access-Control-Max-Age'));
         self::assertEquals('foo, bar, baz', $response->getHeaderLine('Access-Control-Allow-Headers'));