The Clients like Postman or thunderclient, the CORS Policy will be bypassed.

but in Browsers: for any dev or local, The Response header from backend should include to allow access from cross origins, similar to this: 'headers': { 'Access-Control-Allow-Headers': 'Content-Type', 'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Methods': 'OPTIONS,POST,GET' },

if production, try to include only the specific domain of the frontend: 'headers': { 'Access-Control-Allow-Headers': 'Content-Type', 'Access-Control-Allow-Origin': 'https://your-frontend-domain.com', 'Access-Control-Allow-Methods': 'OPTIONS,POST,GET' },