I don't think you need to specify OPTIONS as an allowed CORS method. I've never seen that set, and I've never set it myself. Browsers don't complain.

Otherside I have a similar setup as you in my :

public abstract class MyModule : NancyModule
    protected MyModule(bool hasRazorView = true)
        After.AddItemToEndOfPipeline((ctx) => ctx.Response
            .WithHeader("Access-Control-Allow-Origin", "*")
            .WithHeader("Access-Control-Allow-Methods", "POST,GET")
            .WithHeader("Access-Control-Allow-Headers", "Accept, Origin, Content-type"));
        . . . .
    }
}

In my case, the CORS get sent on my GET and POST, but not the OPTIONS. I overrode the default OPTIONS handling with Options["/"] = route => new Response(). That let the rest of the pipeline fire.

I find it nicer to handle CORS headers in IIS rewriter rules this is sample rewrite webconfig section which does that:

<rewrite>
  <outboundRules>
    <rule name="Set Access Control Allow Origin Header" preCondition="Origin header">
      <match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern="(.*)" />
      <action type="Rewrite" value="{HTTP_ORIGIN}" />
    </rule>
    <rule name="Set Access Control Allow Headers Header" preCondition="Origin header">
      <match serverVariable="RESPONSE_Access-Control-Allow-Headers" pattern="(.*)" />
      <action type="Rewrite" value="Content-Type" />
    </rule>
    <rule name="Set Access Control Allow Methods Header" preCondition="Origin header">
      <match serverVariable="RESPONSE_Access-Control-Allow-Method" pattern="(.*)" />
      <action type="Rewrite" value="POST,GET,OPTIONS" />
    </rule>
    <rule name="Set Access Control Allow Credentials Header" preCondition="Origin header">
      <match serverVariable="RESPONSE_Access-Control-Allow-Credentials" pattern="(.*)" />
      <action type="Rewrite" value="true" />
    </rule>
    <preConditions>
      <preCondition name="Origin header" logicalGrouping="MatchAny">
        <add input="{HTTP_ORIGIN}" pattern="(http://localhost$)" />
        <add input="{HTTP_ORIGIN}" pattern="(http://.*\.YOURDOMAIN\.com$)" />
      </preCondition>
    </preConditions>
  </outboundRules>
</rewrite>

Remember to install IIS rewrite module: http://www.iis.net/downloads/microsoft/url-rewrite

On .NET Core, I was able to pass through CORS using the code below in the Configure method:

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public virtual void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        loggerFactory.AddConsole(Configuration.GetSection("Logging"));
        loggerFactory.AddDebug();

        // Shows UseCors with CorsPolicyBuilder.
        app.UseCors(builder =>
           builder.WithOrigins(new[] { "http://localhost:4200" }).AllowAnyHeader()
                    .AllowAnyMethod()
                    .AllowCredentials()
           );

        app.UseOwin(a => a.UseNancy(b => b.Bootstrapper = new NancyBootstrap(this.Container)));

    }