Omitting the Access-Control-Max-Age header from a preflight response leads browsers to cache that response for 5 seconds, whereas including

Access-Control-Max-Age: 0

in a preflight instructs browsers not to cache that preflight response. However, rs/cors ignores that distinction and takes a maxAge value of 0 as a cue to omit the Access-Control-Max-Age header. Therefore, rs/cors prevents its users from disabling caching of preflight responses.