Wildcard CORS in AI-Generated APIs: What Cursor Won't Catch

TL;DR Every Express app I scaffold with Cursor ships with app.use(cors()) — no origin filter, open to any domain Wildcard CORS lets any website make credentialed requests to your API from a victim's browser Three lines of config fixes it; AI editors don't add them because tutorials never did either I built a side project over a few weeks, mostly vibe-coded in Cursor. Shipping fast, not overthinking the scaffolding. A friend who does security reviews stopped at one line in my Express setup and said: "this is open to the entire internet." The line was app.use(cors()). I'd seen it in hundreds of AI-generated tutorials. Cursor drops it in automatically when you ask for an API setup. The CORS errors stop. The app runs. And your API is now reachable from any origin on the web. The Vulnerable Pattern (CWE-942) When you ask Cursor or Claude Code to scaffold a Node.js REST API, you typically get this: const express = require('express'); const cors = require('cors'); const app = express(); app.u