fix(api): use default permissive CORS configuration when unset
Turns out CORS defaults to strict if no headers are sent at all, so this permissive default makes more sense.
Turns out CORS defaults to strict if no headers are sent at all, so this permissive default makes more sense.