CORS plugin does allow method that should be blocked

Hi, I am running Kong with declarative configuration. I have service called api. All it returns is just headers received in request. This is my configuration:

_format_version: '1.1'

- config:
    credentials: true
    - X-Auth-Token
    - Accept
    - Accept-Version
    - Authorization
    - Content-Length
    - Content-MD5
    - Content-Type
    - Date
    - X-Auth-Token
    max_age: 3600
    - POST
    - '*'
  name: cors

- name: api
  - name: api
    - /api
    strip_path: true
  url: http://api:8000

I am using cors plugin to restrict methods and I find out, GET works even when I do not have it in my configuration. I receive no errors, just response from my api application.

$ curl -s localhost:8000/api | jq .
  "host": "api:8000",
  "connection": "keep-alive",
  "x-forwarded-for": "",
  "x-forwarded-proto": "http",
  "x-forwarded-host": "localhost",
  "x-forwarded-port": "8000",
  "x-forwarded-path": "/api",
  "x-forwarded-prefix": "/api",
  "x-real-ip": "",
  "user-agent": "curl/7.84.0",
  "accept": "*/*"

I see in plugin CORS documentation that plugin is define in root key plugin as I have, but there is also service key inside configuration. It is quiet misleading, my configuration works and from doc, I do not understand correctly how should I configure it for multiple services. Can somebody make it clear with some examples?

I am new to Kong, so maybe I am missing something. Can somebody explain me why I am able to GET my api endpoint even when I did not allowed it?

Thank in advance.

Kong version: 2.8.0