mod_headers is supported as far as I know, but CORS is not allowed on our hosting. We provide hosting for websites, not for data servers for external applications or as a file storage server. Even if you could set the Access-Control headers, the bot protection system would still prevent you from loading assets into external websites.