Is the CORS header set by default?
Access-Control-Allow-Origin: *
If you haven't yet done NIP-05 identity verification, no need to jump on solutions that do it for you.
I've put together the simplest possible self-hosted NIP-05 verification setup I can think of. Just get the cheapest VPS you can, clone the repo, edit 2 files slightly, and run one command and you'll have an always-on, always up-to-date, properly certified NIP-05 identity endpoint:
https://github.com/sethforprivacy/easy-nip5
Detailed steps are all in the readme at the above repo.
Feedback welcome!
Discussion
It's set in one of the labels for the nip05 container, and handled by Traefik.
It's exactly what I run :)