3 CORS Misconfigs Cursor Keeps Writing Into Vibe-Coded APIs

TL;DR Cursor and Copilot default to origin: '*' when generating Express CORS config, letting any website call your API from a logged-in user's browser Pairing origin: '*' with credentials: true gets blocked by browsers, so developers remove credentials to make it work - breaking auth while leaving the wildcard intact Fix: pass an origin allowlist function, not a string, and keep credentials: true alongside it I was reviewing a side project last month. React frontend, Node.js API, the whole thing built in a weekend with Cursor. The code was clean. The architecture was sensible.