diff --git a/config/apisix/apisix.yaml b/config/apisix/apisix.yaml
index ee96cade..e393086d 100644
--- a/config/apisix/apisix.yaml
+++ b/config/apisix/apisix.yaml
@@ -8,20 +8,29 @@ routes:
   - id: 1
     name: "ue-unauth"
     desc: "Unauthenticated routes, including assets and checkout callback API"
-    priority: 0
+    priority: 1
     upstream_id: 1
-    plugins: {}
+    plugins:
+      cors:
+        allow_origins: "**"
+        allow_methods: "**"
+        allow_headers: "**"
+        allow_credential: true
+      response-rewrite:
+        headers:
+          set:
+            Referrer-Policy: "origin"
     uris:
-    - "/api/v0/payments/checkout/result/*"
-    - "/static/*"
-    - "/api/v0/schema/*"
+    - "/api/*"
+    - "/_/*"
+    - "/logged_out/*"
     - "/auth/*"
-    - "/_/v0/meta/apisix_test_request/"
-    - "/logged_out/"
+    - "/static/*"
+    - "/favicon.ico"
   - id: 2
     name: "ue-default"
     desc: "Wildcard route for the rest of the system - authentication required"
-    priority: 1
+    priority: 0
     upstream_id: 1
     plugins:
       openid-connect:
@@ -33,7 +42,9 @@ routes:
         bearer_only: false
         introspection_endpoint_auth_method: "client_secret_post"
         ssl_verify: false
-        logout_path: "/logout/"
+        session:
+          secret: ${{SECRET_KEY}}
+        logout_path: "/logout"
         post_logout_redirect_uri: ${{UE_LOGOUT_URL}}
       cors:
         allow_origins: "**"
@@ -45,6 +56,18 @@ routes:
           set:
             Referrer-Policy: "origin"
     uris:
-    - "/*"
+    - "/cart/*"
+    - "/admin/*"
+    - "/establish_session/*"
+    - "/logout"
+  - id: 3
+    name: "ue-logout-redirect"
+    desc: "Strip trailing slash from logout redirect."
+    priority: 0
+    upstream_id: 1
+    uri: "/logout/*"
+    plugins:
+      redirect:
+        uri: "/logout"
 
 #END
diff --git a/docker-compose.yml b/docker-compose.yml
index d74bfe91..57f22319 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -76,14 +76,14 @@ services:
       - django_media:/var/media
 
   api:
-    image: apache/apisix
-    platform: linux/amd64
+    image: apache/apisix:latest
     environment:
     - KEYCLOAK_REALM=${KEYCLOAK_REALM:-ol-local}
     - KEYCLOAK_CLIENT_ID=${KEYCLOAK_CLIENT_ID:-apisix}
     - KEYCLOAK_CLIENT_SECRET=${KEYCLOAK_CLIENT_SECRET}
     - KEYCLOAK_DISCOVERY_URL=${KEYCLOAK_DISCOVERY_URL:-https://kc.odl.local:7443/realms/ol-local/.well-known/openid-configuration}
     - APISIX_PORT=${APISIX_PORT:-9080}
+    - SECRET_KEY=${SECRET_KEY}
     - UE_LOGOUT_URL=${UE_LOGOUT_URL:-http://ue.odl.local:9080/auth/logout/}
     ports:
       - 9080:9080
diff --git a/poetry.lock b/poetry.lock
index ffee2288..99c18250 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1200,17 +1200,14 @@ python-ipware = ">=2.0.3"
 
 [[package]]
 name = "django-json-widget"
-version = "1.1.1"
+version = "2.0.1"
 description = "Django json widget is an alternative widget that makes it easy to edit the jsonfield field of django."
 optional = false
 python-versions = "*"
 files = [
-    {file = "django-json-widget-1.1.1.tar.gz", hash = "sha256:ec948a4c379687f9c854748ba540fdbeb1b1730846ca953f186818521de7e696"},
+    {file = "django-json-widget-2.0.1.tar.gz", hash = "sha256:adb4cab17fe5a04139037d7d84725369530ef35b912c3790d3a7b13f99351358"},
 ]
 
-[package.dependencies]
-future = "*"
-
 [[package]]
 name = "django-oauth-toolkit"
 version = "2.4.0"
@@ -1576,17 +1573,6 @@ files = [
 [package.dependencies]
 python-dateutil = ">=2.7"
 
-[[package]]
-name = "future"
-version = "1.0.0"
-description = "Clean single-source support for Python 3 and 2"
-optional = false
-python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*"
-files = [
-    {file = "future-1.0.0-py3-none-any.whl", hash = "sha256:929292d34f5872e70396626ef385ec22355a1fae8ad29e1a734c3e43f9fbc216"},
-    {file = "future-1.0.0.tar.gz", hash = "sha256:bd2968309307861edae1458a4f8a4f3598c03be43b97521076aebf5d94c07b05"},
-]
-
 [[package]]
 name = "google-api-core"
 version = "2.23.0"
@@ -4327,4 +4313,4 @@ testing = ["coverage[toml]", "zope.event", "zope.testing"]
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.11.0"
-content-hash = "e5620c30ca7cd18cd7d873c50725a83719fefb76d1edb4b22949fe7ba67f8bbd"
+content-hash = "e13ed1b67ab7b50eef0a25fbe80a6dbeb20350b17b0efbc86575342e5c2cc22e"
diff --git a/pyproject.toml b/pyproject.toml
index 6323a8f3..c0f20e66 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -30,7 +30,7 @@ django-guardian = "^2.4.0"
 django-hijack = "^3.4.1"
 django-imagekit = "^5.0.0"
 django-ipware = "^6.0.0"
-django-json-widget = "^1.1.1"
+django-json-widget = "^2.0.0"
 django-redis = "^5.0.0"
 django-server-status = "^0.7.0"
 django-storages = "^1.13.2"
diff --git a/unified_ecommerce/settings.py b/unified_ecommerce/settings.py
index c89b10c6..38889a5b 100644
--- a/unified_ecommerce/settings.py
+++ b/unified_ecommerce/settings.py
@@ -134,7 +134,7 @@
 LOGIN_URL = "/login"
 LOGIN_ERROR_URL = "/login"
 LOGOUT_URL = "/logout"
-LOGOUT_REDIRECT_URL = "/logged_out"
+LOGOUT_REDIRECT_URL = "/logged_out/"
 
 ROOT_URLCONF = "unified_ecommerce.urls"
 
diff --git a/users/views.py b/users/views.py
index c3e2e0e6..ab0a560e 100644
--- a/users/views.py
+++ b/users/views.py
@@ -40,12 +40,14 @@ def establish_session(request):
     session check API endpoint.
     """
 
+    next_url = settings.MITOL_UE_PAYMENT_BASKET_CHOOSER
+
     if "next" in request.GET:
         try:
             system = IntegratedSystem.objects.get(slug=request.GET["next"])
             next_url = f"{settings.MITOL_UE_PAYMENT_BASKET_ROOT}{system.slug}/"
         except IntegratedSystem.DoesNotExist:
-            next_url = settings.MITOL_UE_PAYMENT_BASKET_CHOOSER
+            pass
 
     next_url = request.session.get("next", next_url)