Cursor's CORS Config Is Wide Open by Default (Here's the Fix)

TL;DR Cursor and Claude Code default to cors() with no arguments -- any website can read your API responses CWE-942 affects Express, Fastify, and FastAPI backends generated without explicit origin config Fix: pass an explicit origin array and set credentials: true ; browsers enforce the restriction for you I reviewed four side projects last week, all vibe-coded with Cursor. Clean structure, decent test coverage, working auth flows. Then I checked the CORS configuration in each one. Every single one had this: app . use ( cors ()); // CWE-942: wildcard CORS origin No origin list. No credentials config. Zero arguments. That defaults to Access-Control-Allow-Origin: * -- any website can read your API responses. Build a page at evil.com that fires a fetch to your endpoint, and the browser returns the full response. One of those projects had user profile endpoints. Another had an /api/admin/users route with no rate limiting. Both were behind open CORS. Neither developer knew it. The Vulnerabl

Cursor's CORS Config Is Wide Open by Default (Here's the Fix)

Related Articles

HadisKu Is Now Ad-Free: Why I Removed Ads From My Islamic App

How To Be Productive — its not all about programming :)

Welcome Thread - v371

Which Software to Develop Apps Is Best in 2026? Top Tools Reviewed

What You Need to Know About Building an Outdoor Sauna (2026)

Related Articles

How-To
HadisKu Is Now Ad-Free: Why I Removed Ads From My Islamic App
Dev.to • 5h ago

How-To
How To Be Productive — its not all about programming :)
Medium Programming • 5h ago

How-To
Welcome Thread - v371
Dev.to • 5h ago

How-To
Which Software to Develop Apps Is Best in 2026? Top Tools Reviewed
Medium Programming • 5h ago

How-To
What You Need to Know About Building an Outdoor Sauna (2026)
Wired • 7h ago