cors-auditorlisted

Audit CORS configuration in Express, Next.js, FastAPI, or Flask code for security misconfigurations. Use whenever the user mentions CORS errors, 'blocked by CORS policy', cross-origin issues, configures an API for a frontend, or asks why credentials/cookies aren't being sent cross-origin. Also run it before deploying any API. Runs fully offline — no API keys, no network, no credentials.
Starr-del/ShipSafe · ★ 0 · Web & Frontend · score 70

Install: claude install-skill Starr-del/ShipSafe

# cors-auditor Part of **shipsafe** — offline deploy-safety skills. Every script is stdlib-only Python 3.8+; nothing leaves the machine. ```bash python3 scripts/audit_cors.py <project_root> [--json] ``` Checks, in severity order: - **WILDCARD_WITH_CREDENTIALS** (critical) — browsers reject `*` + credentials outright, and the tempting 'fix' of reflecting the Origin header turns the API into an account-takeover vector. The correct fix is always an explicit allowlist. - **REFLECTED_ORIGIN** (critical) — `req.headers.origin` echoed back unvalidated = every website can make authenticated calls as your users. - **NULL_ORIGIN_ALLOWED** (high) — sandboxed iframes can claim `Origin: null`. - **WILDCARD_PROD** (medium) — legitimate only for truly public read-only APIs; confirm intent with the user. - **LOCALHOST_IN_LIST** (low) — dev config shipped to prod. Important nuance when interpreting: the user's actual complaint is usually 'CORS is blocking me' and the most common bad advice on the internet is to widen the policy. Diagnose what origin they actually need, and produce the narrowest config that unblocks them — never suggest `origin: '*'` plus credentials, and never suggest reflecting the request origin without an allowlist check. Exit codes: 0 clean, 1 findings. All paths below are relative to this skill's directory (cors-auditor/).