diff --git a/cvat/requirements/base.txt b/cvat/requirements/base.txt
index 3c8c5d52617d..478b9b0d2ef0 100644
--- a/cvat/requirements/base.txt
+++ b/cvat/requirements/base.txt
@@ -45,5 +45,5 @@ keras==2.2.5
 opencv-python==4.1.0.25
 h5py==2.9.0
 imgaug==0.2.9
-django-cors-headers==3.0.2
+django-cors-headers==3.2.0
 furl==2.0.0
diff --git a/cvat/settings/base.py b/cvat/settings/base.py
index 54d2e281aa56..689a8eab68e6 100644
--- a/cvat/settings/base.py
+++ b/cvat/settings/base.py
@@ -174,13 +174,15 @@ def generate_ssh_keys():
 MIDDLEWARE = [
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
+    'corsheaders.middleware.CorsMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
+    # FIXME
+    # 'corsheaders.middleware.CorsPostCsrfMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'dj_pagination.middleware.PaginationMiddleware',
-    'corsheaders.middleware.CorsMiddleware',
 ]
 
 # Cross-Origin Resource Sharing settings for CVAT UI
@@ -191,6 +193,7 @@ def generate_ssh_keys():
 CSRF_TRUSTED_ORIGINS = [UI_HOST]
 UI_URL = '{}://{}:{}'.format(UI_SCHEME, UI_HOST, UI_PORT)
 CORS_ORIGIN_WHITELIST = [UI_URL]
+CORS_REPLACE_HTTPS_REFERER = True
 
 STATICFILES_FINDERS = [
     'django.contrib.staticfiles.finders.FileSystemFinder',