Your AI-Generated API Is Probably Leaking Credentials via CORS

TL;DR AI assistants routinely generate CORS configs that allow any origin to read credentialed responses This is exploitable from any attacker-controlled website, no phishing required Fix: whitelist origins explicitly and never combine wildcard origins with credentials I was reviewing a side project last month - a small Express API a friend had built with Cursor. The app handled user sessions with JWT cookies. Functionally it worked fine. But the CORS config caught my eye immediately. This is what the AI had generated: // CWE-942: Permissive Cross-domain Policy with Untrusted Domains app . use ( cors ({ origin : ' * ' , credentials : true })); That combination isn't just wrong. It's exploitable. Any website a user visits can make credentialed requests to this API and read the response. The browser actually refuses the * + credentials combo per spec, but developers hit the resulting CORS error and "fix" it by reflecting the Origin header back instead: app . use (( req , res , next ) =>