Your AI-Generated Backend Has Its CORS Wide Open

TL;DR AI scaffolding tools default to cors({ origin: '*' }) - wildcard CORS that lets any website call your API Combined with cookies or auth headers, this lets malicious sites make authenticated requests on behalf of your users Two lines of config is the fix, but only if you know to look for it I was setting up a new side project last month using Cursor. The AI scaffolded a clean Express server - TypeScript, middleware organized neatly, validation on the inputs. I copy-pasted it, ran it, everything worked. No CORS errors in the browser. Then I actually read what it wrote. import cors from ' cors ' ; app . use ( cors ()); No configuration. cors() with no arguments defaults to origin: '*' . Every domain on the internet can make cross-origin requests to this API. I have seen this in every AI-scaffolded Node backend I have reviewed in the past year. Sometimes it is cors() , sometimes it is cors({ origin: '*' }) written out explicitly. The result is the same. What Wildcard CORS Actually Al

Your AI-Generated Backend Has Its CORS Wide Open

Related Articles

How to Use Google Stitch to Turn Design Systems into Production-Ready UI

Understand OpenClaw by Building One — Part 6

Firewire Surfboard Review (2026): Neutrino, Revo Max, Machadocado

7 Backend Developer Skills That Will Make You Valuable

Tutorial Hell

Related Articles

How-To
How to Use Google Stitch to Turn Design Systems into Production-Ready UI
Medium Programming • 5h ago

How-To
Understand OpenClaw by Building One — Part 6
Medium Programming • 5h ago

How-To
Firewire Surfboard Review (2026): Neutrino, Revo Max, Machadocado
Wired • 5h ago

How-To
7 Backend Developer Skills That Will Make You Valuable
Medium Programming • 7h ago

How-To
Tutorial Hell
Medium Programming • 8h ago