Here's why you should always read the F... manual.

Well recently I needed to set CORS headers for my side project, at first I used Nginx to send additional headers for static files, but then I needed something more configurable.
And I decided to use NelmioCorsBundle, but to my surprise, I couldn't run it. This is something I hate about Symfony in general, and I guess that's why so many people choose Laravel over Symfony for its simplicity. But well I spent some time digging into configuration.
Actually, it was pretty simple to change, but again as I said, Symfony bundle configuration is evil ^_-  sometimes.

So I ran the command

composer req cors

Symfony configured everything for me with default values:

nelmio_cors:
    defaults:
        origin_regex: true
        allow_origin: ['*']
        allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
        allow_headers: ['Content-Type', 'Authorization']
        expose_headers: ['Link']
        max_age: 3600
    paths:
        '^/': null

#    %env(CORS_ALLOW_ORIGIN)%

I added /api endpoint to test everything

        '^/api':
            allow_origin: ['myhost.com']
            allow_headers: ['*']
            allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
            max_age: 3600

And I tried to run some endpoints from the allowed origin, but it did not work. Then I changed this line: allow_origin to ["*"] and it still does not work.

Well, what do you think? it was origin_regex: true(If you don't use regex of course). I removed it and everything went well, so remember kids to RTFM :).

If origin_regex is set, allow_origin must be a list of regular expressions matching allowed origins. Remember to use ^ and $ to clearly define the boundaries of the regex.