Yeh .NETCore doesnt do any checks for that itself either - just their own docs warn you to consider order of middleware https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0#enable-cors-1