Note that in my case, strapi::cors was initially defined before strapi::poweredBy but it only works in exactly this order (cors must be after poweredBy not before).
module.exports = [
'strapi::errors',
'strapi::security',
'strapi::poweredBy',
{
name: 'strapi::cors',
config: {
enabled: true,
headers: '*',
origin: ['http://localhost:1337', 'http://example2']
}
},
'strapi::logger',
'strapi::query',
'strapi::body',
'strapi::session',
'strapi::favicon',
'strapi::public',
];