Apache httpd: mod_headers patterns for conditional CORS on Directory and Location blocks

Keep CORS directives in included snippets per virtual host to reduce merge conflicts in shared hosting.

After enabling HTTP/2, retest preflight because multiplexing changes timing of parallel OPTIONS.

If PHP emits headers too, deduplicate—Apache may concatenate duplicate Access-Control-Allow-Origin unpredictably.

Use mod_security carefully; CRS rules can block legitimate preflight patterns.