Apollo Router, access-control-allow-origin not being set

I am trying to get Apollo Router working locally, but am running into CORS issues. It looks like Router is not setting the access-control-allow-origin header at all. Here is my router.yaml:

  enabled: false
  enabled: true
  allow_any_origin: false
    - http://localhost:3000
  path: /graphql
  introspection: true

And here are the response headers:

vary: origin
content-type: application/json
content-encoding: gzip
transfer-encoding: chunked
date: Thu, 17 Nov 2022 18:59:28 GMT

This is causing CORS errors from my frontend. If I point my frontend directly at one of my subgraphs, I can get my subgraph API to properly set the allowed origin. So I don’t think its an issue with how my frontend is making the request.

Is there something I am missing? Thanks for any help.