super CORS for nginx.conf

# Super CORS for NGINX
# NOT YET TESTED
# Based on https://enable-cors.org/server_nginx.html
#   which was based on https://michielkalkman.com/snippets/nginx-cors-open-configuration/

location / {
  # preflight
  if ($request_method = 'OPTIONS') {
    add_header 'Access-Control-Allow-Origin' "$http_origin"; # wildcard wouldn’t work with Access-Control-Allow-Credentials
    add_header 'Access-Control-Allow-Credentials' 'true';
    add_header 'Access-Control-Allow-Methods' 'DELETE, GET, PATCH, POST, PUT, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    add_header 'Access-Control-Max-Age' 1728000;
    add_header 'Content-Type' 'text/plain; charset=UTF-8';
    add_header 'Content-Length' 0;
    return 204;
  }

  # non-preflight
  if ($request_method ~ (DELETE|GET|PATCH|POST|PUT) {
    # You might look at this and think this is duplicative with the above conditional
    # block, and you’d be right — but don’t try to fix it. It has to be this way due to
    # the quirks of how `if` and `add_header` work together.
    add_header 'Access-Control-Allow-Origin' "$http_origin"; # wildcard wouldn’t work with Access-Control-Allow-Credentials
    add_header 'Access-Control-Allow-Credentials' 'true';
    add_header 'Access-Control-Allow-Methods' 'DELETE, GET, PATCH, POST, PUT, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
  }
}