The point of CORS is to prevent web pages loaded at one domain making AJAX requests or HTTP requests that modify data to other domains. The way it works is web browsers are built to send pre-flight HTTP OPTIONs requests before any such cross-site requests, & the server will send back a message with the Access-Control-* headers designating its CORS policy, & the browser will proceed or abort the request based on what it’s told it can do. Since a native app is not a web page loaded from any domain at all, CORS restrictions are not needed or applied, the app’s HTTP functions never send an OPTIONS pre-flight, & the server serves the request without CORS ever entering into it. The same is true if you were to try these requests in Postman. Note, however, that if you were to use a hybrid mobile app (Cordova/Ionic/Phonegap, etc.), you would have to deal with CORS, since these apps run in the device’s WebView, which is a type of browser & will send pre-flight OPTIONS requests.