- If it's not specified, OPTIONS method is defined for every resource created by you, so your mock server will automatically handle all pre-flight requests
- Access-Control-Allow-Origin is set to the value that has been provided in request Origin header. If not present, star ("*") is used
- If Access-Control-Allow-Headers was present in request, it is also returned in response
- Access-Control-Allow-Methods defaults to OPTIONS, HEAD, TRACE, CONNECT plus whatever methods are defined on given path in your blueprint.
Notably, for security reasons, we are intentionally not returning "Access-Control-Allow-Credentials" header that may be needed for some of your CORS requests.
If you need it (or you need to modify any other behaviour), you can always define your own OPTIONS method in API Blueprint and return your own headers.
Also note that we are not touching your requests in proxy mode: your server has to implement its CORS policy correctly on its own.