I’ve never really seen this in (Java/Rust/PHP) backend personally, only in client-side JS (the CORS preflight).

It’s a security feature for browsers doing calls (checking the CORS headers before actually calling the endpoint), but for backends the only place it makes sense is if you’re implementing something like webhooks, to validate the (user submitted) endpoint.