Kibana 7.12.0 server.cors setting seems not work

Hi, I need to login Kibana via my application ("http://localhost:3000"). I post login data to "http://localhost:5601/internal/security/login" by ajax, but "Access-Control-Allow-Origin" header not show in the response

  url: "http://localhost:5601/internal/security/login",
  method: "POST",
  dataType: "json",
  headers: {
    "Content-Type": "application/json",
    "kbn-version": "7.12.0",
    "kbn-xsrf": "7.12.0",
    "Access-Control-Allow-Origin": "*",
    "Access-Control-Allow-Credentials": true,
    "Access-Control-Allow-Methods": "*",
    "Access-Control-Allow-Headers": "*"
  data: {
    params: {username: "admin", password: "admin"},
    provideName: "basic",
    provideType: "basic",


server.cors.enabled: true
server.cors.allowCredentials: true
server.cors.allowOrigin: ["http://localhost:3000"]


http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-credentials: true
http.cors.allow-methods: OPTIONS,HEAD,GET,POST,PUT,DELETE
http.cors.allow-headers: kbn-version,kbn-xsrf,Origin,X-Requested-With,Content-Type,Accept,Engaged-Auth-Token,Content-Length,Authorization

Response to OPTIONS request (kibana -> client)

HTTP/1.1 200 OK
cache-control: private, no-cache, no-store, must-revalidate
Connection: keep-alive
content-length: 54
content-type: application/json; charset=utf-8
Date: Wed, 13 Jul 2022 16:52:45 GMT
kbn-name: kibana
Keep-Alive: timeout=120

Why server.cors.allowOrigin setting not work?
Thank you.

Hi Terry,

I don't know much about cors but found this which might help;

Please let us know if you find your solution so others can learn as well.