Problem: Currently, DigitalOcean Functions enabled as "web actions" automatically inject a default Access-Control-Allow-Origin: header. This default behavior creates a critical conflict when a developer needs to implement a more secure, specific-origin CORS policy from their function's code (which is essential for any authenticated API). The platform merges the default with the developer-provided header, resulting in an invalid CORS policy that browsers reject. This issue is very difficult to debug and leads to significant developer frustration and support tickets. Suggestion: Please update the official documentation for the project.yml configuration file to include the solution for this problem. The solution, provided by your support team, is to use the annotations key with web-custom-options: true. The documentation should clearly explain that to take full manual control of HTTP headers and disable the default CORS injection, the function's configuration in project.yml must be structured as follows: functions: - name: my-function web: true annotations: web-custom-options: true ... rest of the configuration Benefit: Adding this information to the public documentation would be immensely valuable. It would save developers countless hours of debugging, prevent a great deal of frustration, and reduce the number of support tickets related to this specific, non-obvious issue. It's a small documentation change that would significantly improve the developer experience on the Functions platform.