diff --git a/lib/travis/api/app.rb b/lib/travis/api/app.rb
index ddfe2fc9..049b889b 100644
--- a/lib/travis/api/app.rb
+++ b/lib/travis/api/app.rb
@@ -25,6 +25,7 @@ module Travis::Api
     autoload :Helpers,      'travis/api/app/helpers'
     autoload :Middleware,   'travis/api/app/middleware'
     autoload :Responders,   'travis/api/app/responders'
+    autoload :Cors,         'travis/api/app/cors'
 
     Rack.autoload :SSL, 'rack/ssl'
 
@@ -52,6 +53,7 @@ module Travis::Api
 
     def initialize
       @app = Rack::Builder.app do
+        use Travis::Api::App::Cors
         use Hubble::Rescuer, env: Travis.env, codename: ENV['CODENAME'] if Endpoint.production? && ENV['HUBBLE_ENDPOINT']
         use Rack::Protection::PathTraversal
         use Rack::SSL if Endpoint.production?
diff --git a/lib/travis/api/app/cors.rb b/lib/travis/api/app/cors.rb
new file mode 100644
index 00000000..781efc00
--- /dev/null
+++ b/lib/travis/api/app/cors.rb
@@ -0,0 +1,20 @@
+require 'travis/api/app'
+
+class Travis::Api::App
+  # Implements Cross-Origin Resource Sharing. Supported by all major browsers.
+  # See http://www.w3.org/TR/cors/
+  #
+  # TODO: Be smarter about origin.
+  class Cors < Base
+    before do
+      headers['Access-Control-Allow-Origin']      = "*"
+      headers['Access-Control-Allow-Credentials'] = "true"
+      headers['Access-Control-Expose-Headers']    = "Content-Type, Cache-Control, Expires, Etag, Last-Modified"
+    end
+
+    options // do
+      headers['Access-Control-Allow-Methods'] = "HEAD, GET, POST, PATCH, PUT, DELETE"
+      headers['Access-Control-Allow-Headers'] = "Content-Type, Authorization, Accept, If-None-Match, If-Modified-Since"
+    end
+  end
+end
diff --git a/lib/travis/api/app/middleware/cors.rb b/lib/travis/api/app/middleware/cors.rb
deleted file mode 100644
index 5a93b7a3..00000000
--- a/lib/travis/api/app/middleware/cors.rb
+++ /dev/null
@@ -1,22 +0,0 @@
-require 'travis/api/app'
-
-class Travis::Api::App
-  class Middleware
-    # Implements Cross-Origin Resource Sharing. Supported by all major browsers.
-    # See http://www.w3.org/TR/cors/
-    #
-    # TODO: Be smarter about origin.
-    class Cors < Middleware
-      before do
-        headers['Access-Control-Allow-Origin']      = "*"
-        headers['Access-Control-Allow-Credentials'] = "true"
-        headers['Access-Control-Expose-Headers']    = "Content-Type, Cache-Control, Expires, Etag, Last-Modified"
-      end
-
-      options // do
-        headers['Access-Control-Allow-Methods'] = "HEAD, GET, POST, PATCH, PUT, DELETE"
-        headers['Access-Control-Allow-Headers'] = "Content-Type, Authorization, Accept, If-None-Match, If-Modified-Since"
-      end
-    end
-  end
-end
diff --git a/spec/unit/middleware/cors_spec.rb b/spec/unit/cors_spec.rb
similarity index 93%
rename from spec/unit/middleware/cors_spec.rb
rename to spec/unit/cors_spec.rb
index 16d565bd..83e79914 100644
--- a/spec/unit/middleware/cors_spec.rb
+++ b/spec/unit/cors_spec.rb
@@ -1,9 +1,9 @@
 require 'spec_helper'
 
-describe Travis::Api::App::Middleware::Cors do
+describe Travis::Api::App::Cors do
   before do
     mock_app do
-      use Travis::Api::App::Middleware::Cors
+      use Travis::Api::App::Cors
       get('/check_cors') { 'ok' }
     end
   end