Caddy: header directive does not overwrite proxy-set headers

My backend service sets some headers for local development, but I want them overwritten by Caddy with safer values. The documentation clearly states:

• is the name of the header field. By default, will overwrite any existing field of the same name. Prefix with + to add the field instead of replace, or prefix with - to remove the field.

However, the following snippet:

# allow everything from every origin
header {
    access-control-allow-credentials true
    access-control-allow-headers "content-type, range"
    access-control-allow-methods "DELETE, GET, PATCH, POST"
    access-control-allow-origin {http.request.header.origin}
    access-control-expose-headers content-range
}

Is not overwriting the values, it is just prepending them. The response is:

access-control-allow-credentials: true
access-control-allow-credentials: true
access-control-allow-headers: content-type, range
access-control-allow-headers: Content-Type
access-control-allow-headers: Range
access-control-allow-methods: DELETE, GET, PATCH, POST
access-control-allow-methods: DELETE
access-control-allow-methods: GET
access-control-allow-methods: PATCH
access-control-allow-methods: POST
access-control-allow-origin: https://localhost:1234
access-control-allow-origin: http://localhost:1234
access-control-expose-headers: content-range
access-control-expose-headers: Content-Range
access-control-max-age: 86400

This duplication of headers breaks everything, as browsers just consider the duplicate entries to be invalid.

While at that: how do I handle multiple value headers, such as access-control-allow-methods and access-control-allow-headers? My backend handles it differently (one per like) than this Caddy config.