Fix the API CORS header
This ensures that:
- CORS headers are handled for all /api/* locations
- the same CORS headers are sent for all /api/* locations (implemented in /api/cors)
- OPTIONS requests do not require authentication
- the ACAO header is always sent (even in 4xx responses)
Other changes:
- allow HEAD requests
- remove Content-Type from the allowed headers list (not needed)
- reduce the max age to one day (more than enough)