AI-Generated Backends Almost Always Get CORS Wrong

TL;DR AI editors output app.use(cors()) with zero config by default - that's a wildcard CORS policy On unauthenticated public APIs this is fine. On anything with sessions or JWT auth, it's a credential theft vector Three lines fix it, but you have to know to look I was reviewing a Node.js API a friend built last month. Express backend, JWT auth, clean structure. The AI had written basically everything from scratch in a weekend. It worked perfectly. And buried in the middleware setup, six lines from the top: app . use ( cors ()); // CWE-942 No config. No options. Full wildcard. Any origin, including evil.com , could make credentialed cross-origin requests to that API. I've seen this pattern dozens of times. Not from developers who don't know better. From fast-moving teams using AI editors to ship quickly. The AI writes code that passes every test and ships perfectly - but the security assumptions baked into that code are frequently from a different era. The Vulnerable Pattern Here's wha