You shouldn't need to set headers in the JS app, the browser will do that for you in pre-flight.
Which isn't in your screenshot, so I'm assuming that your upstream NodeJS app (
X-Powered-By:Express) is actually trying to add CORS headers already.
This is backed up by seeing what happens when a POST is made to the API, I get two
Access-Control-Allow-Origin headers back instead of one. Usually, when this happens, a JS client / browser will bork, since they expect a single header. The fact there are two responses implies that both Tyk Gateway AND the underlying API are handling CORS:
My suggestion would be to deselect all options in the CORS handler, and just tick "Allow OPTIONS pass-through", this will basically allow CORS pre-flights to go through Tyk without checking and let ExpressJS handle them.
If you want to tyk to handle it, then you'll need to have the underlying API not handle CORS.
Hope that makes sense