Add CORS headers to API response

We need configurable CORS headers in the API, otherwise browsers will block most requests (everything that sends authorization tokens and (if not sending auth tokens or other custom headers) everything except simple GET and POST requests (with standard content types)).

So, I found https://flaviocopes.com/golang-enable-cors/ for quick fixing. We could add the header to every API response and use some EnvVar to configure the allowed origins. Or we do the proper thing and use something like https://github.com/rs/cors