CORS is intended to prevent cross-site scripting attacks, and its correct use is a tad more complicated than just adding that one header. Basically, the client can pre-flight any request by issuing an OPTIONS request to the same URL, plus all responses need a header or two in place. And you should require and validate an incoming "Origin" header on requests. So while that fix has gotten things working in your case, it's just a band-aid. For a production service you probably want to do it right :-)