are there any OPTIONS interceptors or do I need to write my own?

@deadghost default-interceptors should do that. I don't have any code about options and it's handled in my app You may need ::http/secure-headers {:content-security-policy-settings ...} in your service map and maybe ::http/allowed-origins