CORS

CORS (Cross-Origin Resource Sharing) is a browser security rule: if JavaScript on `a.com` wants to call an API on `b.com`, the server at `b.com` has to explicitly say that's okay by sending a header. Without the header, the browser blocks the response. CORS exists to stop evil-site.com from reading your bank's data just because you're logged in. The problem is that AI assistants, when asked to 'fix CORS,' usually reach for `Access-Control-Allow-Origin: *`. That works. It also removes every protection CORS was supposed to give you. Any website can now call your API with the user's cookies along for the ride. The correct fix is to set `Access-Control-Allow-Origin` to the specific origin that should be allowed, like `https://yourapp.com`. If you genuinely need multiple, maintain a list and echo back the origin if it's in the list. Never use `*` with credentials — the browser actually refuses that combination because it's that obviously wrong. Our checklist flags wildcard CORS under security/high because the fix is a one-line change and the exploit is trivial.