CORS is a two-way process. The client sends particular CORS-related headers, and then the server responds appropriately. Unless you tell curl
to set those request headers, you won't see anything in the response.
If you add the Origin
header to your request, you should see what you're looking for:
$ curl --head http://localhost:9200 -H 'Origin: http://foo.com'
HTTP/1.1 200 OK
access-control-allow-origin: *
content-type: application/json; charset=UTF-8
content-length: 326