いつか書く。

Access-Control-Allow-Origin

通信許可できる参照元オリジン名。

Access-Control-Allow-Methods

この通信で許可できるメソッド GET, POST, OPTIONS, PUT, PATCH, DELETE

Access-Control-Allow-Headers

通信時にヘッダーに含めても大丈夫な項目。

Access-Control-Allow-Credentials

クッキーをやり取りするかどうか。する場合はtrueを指定します。

エラー

Access to fetch at 'APIのURL' from origin '送信元origin' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value '送信元origin' that is not equal to the supplied origin. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

OPTIONSのヘッダーのAccess-Control-Allow-Originの値と実際のメソッドのヘッダーで返しているAccess-Control-Allow-Originの値が異なる。