Cool! glad it worked for you.

Usually for security purposes it's better to just provide the CORS header permission to ~/.well-known/lnurlp so that GET/HEAD https methods are called only there.

Depending on what else you run on your web server it might be secure to add that. Even otherwise, I usually prefer giving only very specific access and HTTP methods.