--cors | Enable CORS via the Access-Control-Allow-Origin header
The above documentation seems to be incorrect and it is confusing. As we can see through the code, that --cors will enable the Access-Control-Allow-Origin header and also the value set is assigned to the Access-Control-Allow-Headers . Possible values: should be like here --cors='X-Custom-Header'

Here is the line that supports above:
https://github.com/http-party/http-server/blob/master/lib/http-server.js#L101-L107