How to set CNAME to reach externel backend service?

Question

Got an error here when press Login button: https://sp-poc.com/admin

Access to XMLHttpRequest at 'https://speechifai-poc.herokuapp.com/api/loginEmail' from origin 'https://sp-poc.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

I did set up frontend service, it should point to the Heroku backend:

What do I miss more?

Backend should write the cookie:

func loginEmail(_ req: Request) throws -> Response
{
    let response = Response(status: .ok)
    let cookie = HTTPCookies.Value(string: "abcdef", isHTTPOnly: true)
    response.cookies["userId"] = cookie
    return response
}

these middleware setting I have now:

app.middleware.use(CORSMiddleware(configuration: .init(
    allowedOrigin: .originBased,//.originBased,
    allowedMethods: [.GET, .POST, .PUT, .OPTIONS, .DELETE, .PATCH],
    allowedHeaders: [.accept, .authorization, .contentType, .origin, .xRequestedWith, .userAgent, .accessControlAllowOrigin, .init("crossDomain")/*, .accessControlAllowCredentials, .xRequestedWith*/]
)))