"CORS config Origin" didn't block for requst from Curl / Postman

Hi Guys,
I found an issue when I’ve applied config.origin in Kong but the request from Curl / Postman without the right Origin still got the response(200). I am using CORS Plugin in a kong.
a config such as below

"config": { "methods": [ "GET", "PUT", "POST" ], "headers": [ "Authorization", "Token" ], "credentials": true, "origins": [ "https://mock.test"] }

Appreciated it if you can help this issue. Thanks

Only web browsers do the CORS check, this is why in curl or postman works.