CORS headers can often cause issues.
# Check HTTP Headers
To check http headers in general you can use a convenient (but rate limited) service like:
- hackertarget.com/http-header-check 
# Wild card CORS
Using wildcard CORS headers is not secure. For wiki we tolerate this as we are not ever writing to the server directly or a users data, and we require federation between an ever expanding ragne of domains by default.
To set wild-card CORS headers (for instance on a microservice you are creating for the federation you may add:
Access-Control-Allow-Origin: *
to the http headers of the response.
# With LocalXpose
To set the CORS or other headers with LocalXpose ensure the LocalXpose config.yaml is set carefully without spaces.
It appears that the CORS headers are passed through the tunnel correctly from the wiki-node-server.
There are issues where ghost-pages are not created with drag and drop - and this may be a timing or keep-alive issue. See config file for possible fix.
In case you wanted to add CORS headers on the commandline you should issue the tunnel command like this:
loclx tunnel http --to localhost:80 --request-header "Access-Control-Allow-Origin: *" --reserved-domain "*.astralship.wiki"
This will add the wildcard CORS header to the tunneled traffic.
> Note: if you use the LocalXpose config.yaml file to configure things - you must not incude spaces in the CORS param.