It’s been a long time since I used node, but just looking at the code, I think you need to remove the headers in your client request.
Then make sure that these are added in your server response:
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Credentials: true
Check if the cors package in node does not already does this.
You send the header on the / <- endpoint but you call a /endpoint in your client. That last route probably does not set any access control headers headers.
To debug:
Check your developer console -> network to see what URLs are being accessed and what the response headers are. There you should see these access-control headers.
If you don’t see them there, it means something is not working on your server-side.
Here are some good examples on this:
https://github.com/expressjs/cors
And just to be sure: make sure you are calling the API from https://example.com because https://www.example.com will