Expert insights on AI-powered coding security, vibe-based development practices, and protecting AI-generated web applications from vulnerabilities.

· · 2 min read

What Is CORS (Cross-Origin Resource Sharing)?

CORS browser security API security web security
Cross-Origin Resource Sharing (CORS) : A browser security mechanism that controls which web origins can access resources on a different origin. CORS uses HTTP headers to tell the browser whether a cross-origin request should be allowed. It extends the Same-Origin Policy by providing a controlled way to share resources between different domains.

Why It Matters for AI-Coded Apps

AI-generated backends frequently set CORS to Access-Control-Allow-Origin: * to make development easier, then ship this to production. This allows any website to make API requests to your backend, enabling data theft, CSRF-like attacks, and credential exposure. Misconfigured CORS is one of the most common issues in vibe-coded APIs.

Real-World Example

A backend sets Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true. An attacker’s website makes a fetch request to https://yourapi.com/api/user/profile and receives the authenticated user’s data because the browser sends cookies and the server allows any origin.

How to Detect and Prevent It

Never use * for Access-Control-Allow-Origin in production. Explicitly allowlist your frontend domain(s). Never combine * with Access-Control-Allow-Credentials: true (browsers block this, but reflecting the Origin header is equally dangerous). Validate the Origin header against an allowlist on the server.

Frequently Asked Questions

What is a CORS preflight request?

Before sending certain cross-origin requests (with custom headers, PUT/DELETE methods, or non-standard content types), the browser sends an OPTIONS request to check if the server allows it. The server responds with CORS headers indicating what’s permitted. Only if the preflight succeeds does the actual request proceed.

Why does CORS only apply to browsers?

CORS is a browser-enforced security policy. Server-to-server requests, curl, Postman, and mobile apps don’t enforce CORS. This means CORS protects your users’ browsers from making unauthorized cross-origin requests, but doesn’t protect your API from non-browser clients.

How do I configure CORS in Express.js?

Use the cors package: app.use(cors({ origin: 'https://yourfrontend.com', credentials: true })). For multiple origins, pass an array or a function that validates against an allowlist. Never use origin: true which reflects any origin.

Scan your app for security issues automatically

Vibe Eval checks for 200+ vulnerabilities in AI-generated code.

Try Vibe Eval

AI Coding Security Insights.
Ship Vibe-Coded Apps Safely.

Effortlessly test and evaluate web application security using Vibe Eval agents.

GET STARTED GET A DEMO