Describe the bug

As of now some CORS parameters are configurable via env vars e.g. OCIS_CORS_ALLOW_METHODS, OCIS_CORS_ALLOW_HEADERS (and OCIS_CORS_EXPOSE_HEADERS - see upcoming PR by @butonic )

Besides the fact that different services require different methods and headers and need to be configured on service level - changing the working default to anything different will most probably break some services partially.

Proposal

Do not configure allow methods, allow headers, expose headers and max ago but leave this to the individual services.