Access-Control-Allow-Headers response header is used in response to a preflight request which includes the
Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.
In this lesson, we'll secure our API by building an allowlist of origins that can access our API, and update the CORS functionality in our code to adopt that allowlist when handling requests.
includes seems like the wrong option for checkOrigin. Wouldn't someone be able to create a url that's like https://serverless-api-viewer.pages.dev.malicious.website.com and have it match?