fix(api): add content-type to allowed CORS headers

[flrgh]

Turns out that Content-Type is allowed by default for CORS purposes, but only for the following mime types:

• application/x-www-form-urlencoded
• multipart/form-data
• text/plain

Explicitly allowing it via Access-Control-Allow-Headers opens it up to any mime type.

See also:

• https://fetch.spec.whatwg.org/#cors-safelisted-request-header
• https://fetch.spec.whatwg.org/#http-access-control-request-headers