Well, you can also set up a reverse proxy (openresty/nginx) and have CORS handled at that level. It would solve ALL the problems with EVERYTHING Where ALL==every access control request from client, and EVERYTHING==every api/rest/openapi/webservice/endpoint on backend side regardless of used technology (php, python, node, c#, etc.).