Why Cursor Keeps Generating Wildcard CORS -- And How to Fix It

TL;DR AI editors almost always default to cors() with no config -- which sets Access-Control-Allow-Origin: * Wildcard CORS on authenticated APIs exposes your users to cross-site request attacks Fix: replace the wildcard with an explicit origin allowlist controlled by an env var I was reviewing a side project a dev built entirely in Cursor. The Express backend looked clean -- structured routes, solid error handling, decent auth middleware. Then I checked the CORS setup. app . use ( cors ()); // defaults to Access-Control-Allow-Origin: * One line. Auto-suggested by Cursor from a starter template. Left in production because it made the frontend stop complaining in dev. Except this was prod. Wildcard CORS feels harmless compared to SQL injection. No immediate data breach. But for any API using cookies or session tokens, a wildcard CORS config means any website -- a phishing page, a malicious ad iframe -- can make authenticated requests on behalf of your logged-in users without them knowing