Why Cursor Keeps Writing Wildcard CORS Into Your Express APIs

TL;DR Cursor generates cors({ origin: '*' }) on nearly every Express app it builds Wildcard CORS + Bearer tokens in localStorage means any site can make authenticated requests on behalf of your users One-line fix: replace '*' with an explicit origin allowlist I was reviewing a side project last week. A Node/Express REST API built almost entirely with Cursor. The developer was sharp. The code was clean. The CORS config was a disaster. Every single endpoint was configured with app.use(cors({ origin: '*' })) . The app handled user accounts, subscription data, and a connected Stripe integration. Wide open to any origin on the internet. I've seen this exact pattern in a dozen Cursor-generated projects now. It's not a Cursor bug. It's a training data problem. The Vulnerable Code (CWE-942) Here's what Cursor produces when you ask it to add CORS to an Express app: const express = require ( ' express ' ); const cors = require ( ' cors ' ); const app = express (); app . use ( cors ({ origin : '

Why Cursor Keeps Writing Wildcard CORS Into Your Express APIs

Related Articles

10 Things Every Software Developer Should Know (But Most Ignore)

The Deceptively Tricky Art of Designing a Steering Wheel

7 Wireshark Filters That Instantly Make You Look Like a Network Expert

Week 6 — No New Problems. Just Me and Everything I Already Learned.

What OpenClaw Gets Wrong Out of the Box (And How to Fix It)

Related Articles

How-To
10 Things Every Software Developer Should Know (But Most Ignore)
Medium Programming • 47m ago

How-To
The Deceptively Tricky Art of Designing a Steering Wheel
Wired • 1h ago

How-To
7 Wireshark Filters That Instantly Make You Look Like a Network Expert
Medium Programming • 2h ago

How-To
Week 6 — No New Problems. Just Me and Everything I Already Learned.
Medium Programming • 7h ago

How-To
What OpenClaw Gets Wrong Out of the Box (And How to Fix It)
Medium Programming • 8h ago