It seems if an application sends its own headers they actually get appended (I mistakenly thought they would get overwritten but I think this was confusion from back when I was testing a different method of setting the headers rather than using the middleware).

This is an issue with the allowed origin header because although from what I can tell this is technically valid most browsers refuse to work when you set this header multiple times even if they have the same value.

We can either strip the headers from the application or remove ours in favor of the application's but since applications cannot handle OPTIONS anyway to be consistent I think we should prefer ours. This was actually the original plan anyway but I (foolishly) abandoned it because we were using the middleware. Hopefully there is a way to do this and still use the middleware though.

We will also need to update the documentation.