...
<cors enabled="true" failUnlistedOrigins="false">
...
<add origin="https://timeline.rocket.cologne">
<allowHeaders allowAllRequestedHeaders="true">
<add header="authorization" />
</allowHeaders>
</add>
</cors>
...