What are some common mistakes when configuring CORS headers?

Common mistakes include: forgetting to set `Access-Control-Allow-Origin`, setting it to `*` in production (which is a security risk), not including the necessary `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` for preflighted requests, and misconfiguring the origin (e.g., using `http` instead of `https`).