If you have a challenge (like from a custom rule/under attack mode) being served it'd break CORS
#Dddoss Attack Corse Error
formal pewter
if you could grab the rest of the headers, could look for cf-mitigated response header
I don't do stuff like that sorry, you can respond/get best effort help here
This shouldn't be too difficult eitherway though, Cloudflare doesn't strip CORS arbitrarily, would only happen when serving challenges/block pages (like under attack mode security level), and removing CORS from the backend isn't a solution, CORS is a browser-default required security control, your dev.domain.com has to have CORS headers allowing the other domain to fetch it