As a quick addendum, since the CORS preflight is a different kind of OPTIONS request to a regular one, and we probably don’t wanna respond to a regular OPTIONS request with a CORS preflight response, you can also differentiate the two easily by the presence of the Access-Control-Request-Method request header.
This means if you want to be extra neat about it, you can also specify the presence of this header in your advanced matcher so the handle only catches the CORS preflight version and the regular version will be… well, it’ll get 400’d, but that would make more sense than a CORS response anyway and you only need the CORS to work here.