I am writing a project with an Angular2 frontend and a REST WebAPI backend using php.
I have been running/debugging the frontend using
Configure your development application server to proxy requests to the development REST server. Then make same origin requests.
.htaccess to turn CORS headers on but add it to
.gitignore (or your version control system's equivalent) to ensure it stays out of production.
Alternatively, if your REST server has a configuration system. Use that to turn on CORS in development (and again, ensure that the config file is kept out of version control).