Issue CORS: "Only One Origin Allowed"-Error - where does second origin * come from?

[it78croix]

Server operating system version

Ubuntu 22.04.2 LTS

Plesk version and microupdate number

Plesk Obsidian Web Host Edition 18.0.53 Update #2

Having a Backend NodeJS-App on api.XXX.com and a Frontend React-App on XXX.com.

On the BackendNodeJS-App and in Plesk - Domains - the Apache & nginx Settings my 'Access-Control-Allow-Origin"-Header is set to the frontend url.

But, I get the message of

Access to XMLHttpRequest at [api] from origin [Frontend] has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values '*, [...], but only one is allowed.

I can't find where the 'Access-Control-Allow-Origin'-Header could be set to the asterisk ('*'). Any ideas?