The CorsMiddleware registered in app.php adds Access-Control-Allow-Origin + related headers to every response. It also intercepts OPTIONS preflight requests automatically — try curl -X OPTIONS http://host/anything.
(none) * (or whatever ZEALPHP_CORS_ORIGINS is set to)Origin