CORS is a two-way process. The client sends particular CORS-related headers, and then the server responds appropriately. Unless you tell curl to set those request headers, you won't see anything in the response.
If you add the Origin header to your request, you should see what you're looking for:
$ curl --head http://localhost:9200 -H 'Origin: http://foo.com'
HTTP/1.1 200 OK
access-control-allow-origin: *
content-type: application/json; charset=UTF-8
content-length: 326