No idea, really. I have read Express and CORS code few times. There is literally nothing suspicious in the CORS code. There is definitely something wrong with it, but I fail to see where exactly. The only idea I have is to replace slow express with fastify, which seems to be more optimised for our kind of load.