When payloads are too large, other later middleware like `cors` are skipped

We need a general solution to ensure that CORS headers are sent to avoid confusing errors (CORS errors instead of "payload too large" errors).