Your AI Wrote a CORS Config That Lets Any Website Read Your API

TL;DR AI assistants default to Access-Control-Allow-Origin: * — a wildcard that opens your API to every domain on the internet When combined with a naive credentials check, this escalates from sloppy to exploitable Audit every CORS config your AI generated and replace wildcards with explicit origin lists I was reviewing a side project a friend built with Cursor last month. Node/Express backend, straightforward REST API, nothing fancy. The app worked fine. The CORS setup was a different story. Every route was wide open. One line at the top of the file: app.use(cors()) . No origin list, no credentials check, no thought. Just a call to the cors package with zero config. I've seen this pattern in probably a third of AI-generated Express apps I've touched this year. The default behavior of cors() in Express sets Access-Control-Allow-Origin: * . That means any website on the internet can make cross-origin requests to the API from a visitor's browser. For a read-only public API, that's maybe

Your AI Wrote a CORS Config That Lets Any Website Read Your API

Related Articles

I Thought Learning Tech Would Fix My Life. It Didn’t.

How a Future Twitter Co-Founder Almost Lost a $10,000,000,000 Opportunity — Most Developers Make…

I'm a Mac Mini power user - these 5 accessories make it the ultimate workstation for me

Developer Leave Planning: How to Handoff Projects Before FMLA Starts

Engineering Principles for Life, Not Just for Code

Related Articles

How-To
I Thought Learning Tech Would Fix My Life. It Didn’t.
Medium Programming • 26m ago

How-To
How a Future Twitter Co-Founder Almost Lost a $10,000,000,000 Opportunity — Most Developers Make…
Medium Programming • 31m ago

How-To
I'm a Mac Mini power user - these 5 accessories make it the ultimate workstation for me
ZDNet • 1h ago

How-To
Developer Leave Planning: How to Handoff Projects Before FMLA Starts
Dev.to • 4h ago

How-To
Engineering Principles for Life, Not Just for Code
Medium Programming • 4h ago