diff --git a/samples/Mvc.Server/Startup.cs b/samples/Mvc.Server/Startup.cs
index 256798bb..52c87ea3 100644
--- a/samples/Mvc.Server/Startup.cs
+++ b/samples/Mvc.Server/Startup.cs
@@ -14,7 +14,6 @@ using NWebsec.Middleware;
 using OpenIddict;
 using OpenIddict.Models;
 
-
 namespace Mvc.Server {
     public class Startup {
         public static void Main(string[] args) {
diff --git a/src/OpenIddict.Security/OpenIddictExtensions.cs b/src/OpenIddict.Security/OpenIddictExtensions.cs
index bda7d6e6..b5335eb4 100644
--- a/src/OpenIddict.Security/OpenIddictExtensions.cs
+++ b/src/OpenIddict.Security/OpenIddictExtensions.cs
@@ -16,7 +16,7 @@ namespace Microsoft.AspNet.Builder {
         public static OpenIddictBuilder UseNWebsec(
             [NotNull] this OpenIddictBuilder builder,
             [NotNull] Action<IFluentCspOptions> configuration) {
-            return builder.AddModule("NWebsec", -20, app => {
+            return builder.AddModule("NWebsec", 5, app => {
                 // Insert a new middleware responsible of setting the Content-Security-Policy header.
                 // See https://nwebsec.codeplex.com/wikipage?title=Configuring%20Content%20Security%20Policy&referringTitle=NWebsec
                 app.UseCsp(configuration);
diff --git a/src/OpenIddict/OpenIddictExtensions.cs b/src/OpenIddict/OpenIddictExtensions.cs
index 52ab7e86..59238a36 100644
--- a/src/OpenIddict/OpenIddictExtensions.cs
+++ b/src/OpenIddict/OpenIddictExtensions.cs
@@ -34,9 +34,9 @@ namespace Microsoft.AspNet.Builder {
             [NotNull] this IApplicationBuilder app,
             [NotNull] Action<OpenIddictBuilder> configuration) {
             return app.UseOpenIddictCore(builder => {
-                builder.UseNWebsec();
-                builder.UseCors();
                 builder.UseAssets();
+                builder.UseCors();
+                builder.UseNWebsec();
                 builder.UseMvc();
 
                 configuration(builder);