I’m not sure how your gateway works, but is it possible for the gateway to set headers instead of adding headers?
You can set the value in the server to the same value * (c.ServerApp.allow_origin = '*'). It is important to set the value, because Jupyter Server checks the origin on requests, it doesn’t just set the CORS header. So if you only override the CORS header, the browser will attempt the request, but it will be rejected if it doesn’t match the server’s CORS settings.
Of course, by allowing any origin, you are also explicitly allowing cross-site request forgeries.