3 CORS Misconfigs Cursor Keeps Writing Into Vibe-Coded APIs

TL;DR Cursor and Copilot default to origin: '*' when generating Express CORS config, letting any website call your API from a logged-in user's browser Pairing origin: '*' with credentials: true gets blocked by browsers, so developers remove credentials to make it work — breaking auth while leaving the wildcard intact Fix: pass an origin allowlist function, not a string, and keep credentials: true alongside it I was reviewing a side project last month. React frontend, Node.js API, the whole thing built in a weekend with Cursor. The code was clean. The architecture was sensible. Then I checked the CORS config. app . use ( cors ()); // fix before prod The comment was still there. The app had been live for three weeks. This is not a freak occurrence. I've seen the same pattern across probably twenty AI-assisted backends in the past year. There's a structural reason it keeps happening. The vulnerable config (CWE-942) The bare cors() call defaults origin to '*' . That's the most common form.