If you do not want to block REST tools or server-to-server requests, add a !origin check in the origin function like so:
var corsOptions = {
origin: function (origin, callback) {
if (!origin || whitelist.indexOf(origin) !== -1) {
callback(null, true)
} else {
callback(new Error('Not allowed by CORS'))
}
}
}