diff --git a/defaults/main.yml b/defaults/main.yml
index 99f6026c..fecea774 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -488,3 +488,17 @@ keystone_required_secrets:
   - keystone_service_password
 
 keystone_uwsgi_init_overrides: {}
+
+## Extra HTTP headers for Keystone
+# Add any additional headers here that Keystone should return.
+#
+# Example:
+#
+#   keystone_extra_headers:
+#     - parameter: "Access-Control-Expose-Headers"
+#       value: "X-Subject-Token"
+#     - parameter: "Access-Control-Allow-Headers"
+#       value: "Content-Type, X-Auth-Token"
+#     - parameter: "Access-Control-Allow-Origin"
+#       value: "*"
+keystone_extra_headers: []
diff --git a/releasenotes/notes/extra-headers-e54a672d3a78dd89.yaml b/releasenotes/notes/extra-headers-e54a672d3a78dd89.yaml
new file mode 100644
index 00000000..370d3309
--- /dev/null
+++ b/releasenotes/notes/extra-headers-e54a672d3a78dd89.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    Extra headers can be added to Keystone responses by adding items to
+    ``keystone_extra_headers``. Example:
+
+    .. code-block:: yaml
+
+        keystone_extra_headers:
+          - parameter: "Access-Control-Expose-Headers"
+            value: "X-Subject-Token"
+          - parameter: "Access-Control-Allow-Headers"
+            value: "Content-Type, X-Auth-Token"
+          - parameter: "Access-Control-Allow-Origin"
+            value: "*"
diff --git a/templates/keystone_nginx.conf.j2 b/templates/keystone_nginx.conf.j2
index 94d4d64e..492f2ea4 100644
--- a/templates/keystone_nginx.conf.j2
+++ b/templates/keystone_nginx.conf.j2
@@ -30,5 +30,8 @@ server {
         include     uwsgi_params;
         uwsgi_pass  127.0.0.1:{{ keystone_uwsgi_ports[item]['socket'] }};
         uwsgi_param SCRIPT_NAME '';
+{% for header in keystone_extra_headers %}
+        add_header "{{ header['parameter'] }}" "{{ header['value'] }}";
+{% endfor %}
     }
 }