Update `Access-Control-Allow-Headers` recommendation to fit CORS specification.