It expected that Postman does not receive CORS headers since its not sending a pre-flight request. Since the request has to be done from a browser, you can use this site to mimic your request: https://www.test-cors.org/ . This will send a request to your rest service from within the browser (basically the same as from the swagger page).
For your second question:
To add your own CORS headers you can do it like this:
You can associate these to your HttpResponse object and they will be send as headers in the request. Please make sure to also create a custom OPTION method for the method you want to have the correct CORS response.
You can find more information about this here: