if ($request_method = 'OPTIONS') {
  add_header 'Access-Control-Allow-Origin' '*';
  add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE';
  add_header 'Access-Control-Allow-Headers' 'Content-Type';
  # cache CORS for 24 hours
  add_header 'Access-Control-Max-Age' 86400;
  # return empty response for preflight
  add_header 'Content-Type' 'text/plain; charset=UTF-8';
  add_header 'Content-Length' 0;
  return 204;
}