Angular

How to fix No 'Access-Control-Allow-Origin'?

I am writing a SPA application. I assembled the project through webpack on the angular 2 off.doc. I send a simple post request and this is what the console outputs:

XMLHttpRequest cannot load http://spa.local/api/heroes. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:1313' is therefore not allowed access.
hero.service.ts?e399:46 0 -  {"isTrusted":true}

Created CORS middleware:

class Cors
{
    public function handle($request, Closure $next)
    {
        return $next($request)
            ->header('Access-Control-Allow-Origin', '*')
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
            ->header('Access-Control-Max-Age', '1000')
            ->header('Access-Control-Allow-Headers', 'Origin, Content-Type, X-Auth-Token');
    }
}

But the error is still the same.
I make a post request via POSTMAN , everything is fine, the server responds with data. I look in the headers tab:

Access-Control-Allow-Headers →Origin, Content-Type, X-Auth-Token
Access-Control-Allow-Methods →GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin →*
Access-Control-Max-Age →1000
Cache-Control →no-cache, private
Connection →keep-alive
Content-Encoding →gzip
Content-Type →text/html; charset=UTF-8
Date →Mon, 30 Jan 2017 15:03:34 GMT
Server →nginx/1.10.1 (Ubuntu)
Transfer-Encoding →chunked

So what is the problem and where to dig?