There’s a couple of ways to handle this. One would be to worry about CORS only on the socket server. Have a look at Socket.io docs at Handling CORS | Socket.IO
Or, to continue your method of working directly with Express, have a close look at their documentation, including Express cors middleware
If you’re not yet skilled with using a tool like curl, that will help you determine the headers coming back from both your app and signaling servers, and help you figure out where additional adjustments or configuration is needed.