Type: L3 Worker Category: 7XX Project Bootstrap Parent: ln-770-crosscutting-setup
Configures Cross-Origin Resource Sharing (CORS) policy with security-first approach.
Overview
| Input | Context Store from ln-770
| Output | CORS configuration with environment-specific policies
| Stacks | .NET (ASP.NET Core CORS), Python (FastAPI CORSMiddleware)
Phase 1: Receive Context
Accept Context Store from coordinator.
Required Context:
-
STACK: .NET or Python -
PROJECT_ROOT: Project directory path -
ENVIRONMENT: Development or Production
Idempotency Check:
-
.NET: Grep for
AddCorsorUseCors -
Python: Grep for
CORSMiddleware -
If found: Return
{ "status": "skipped" }
Phase 2: Analyze Project Structure
Determine frontend configuration.
Detection Steps:
-
Check for frontend in same repository (
/frontend,/client,/web) -
Read
.envorappsettings.jsonfor CORS_ORIGINS -
Identify common frontend ports (3000, 5173, 4200)
Detected Frontend Origins:
| React (CRA) | 3000 | http://localhost:3000
| Vite | 5173 | http://localhost:5173
| Angular | 4200 | http://localhost:4200
| Next.js | 3000 | http://localhost:3000
Phase 3: Decision Points
Q1: Allowed Origins
| Development | Allow localhost origins (configurable)
| Production | Explicit origins from environment variables only
Security Warning: Never use * (wildcard) with credentials.
Q2: Allowed Methods
| GET | ✓ Yes | Read operations
| POST | ✓ Yes | Create operations
| PUT | ✓ Yes | Update operations
| DELETE | ✓ Yes | Delete operations
| PATCH | Optional | Partial updates
| OPTIONS | ✓ Yes | Preflight requests (automatic)
Q3: Credentials Support
| Cookie-based auth | ✓ Yes | Required for cookies
| JWT in header | ✗ No | Not needed
| OAuth2 | Depends | Check documentation
Warning: AllowCredentials = true prohibits * origin.
Q4: Preflight Cache Duration
| Development | 0 | Immediate config changes
| Production | 86400 (24h) | Reduce preflight requests
Phase 4: Generate Configuration
.NET Output Files
| Extensions/CorsExtensions.cs
| CORS service registration
| appsettings.json (update)
| Origins configuration
| appsettings.Development.json (update)
| Dev origins
Generation Process:
-
Use MCP ref for current ASP.NET Core CORS API
-
Generate CorsExtensions with:
Development policy (permissive)
-
Production policy (restrictive)
-
Environment-based policy selection
-
Update appsettings with CORS:Origins
Registration Code:
builder.Services.AddCorsPolicy(builder.Configuration);
// ...
app.UseCors(builder.Environment.IsDevelopment() ? "Development" : "Production");
Python Output Files
| middleware/cors_config.py
| CORS middleware configuration
| .env (update)
| CORS_ORIGINS variable
Generation Process:
-
Use MCP ref for FastAPI CORSMiddleware
-
Generate cors_config.py with:
Origin parsing from environment
-
Method and header configuration
-
Credentials handling
-
Update .env with CORS_ORIGINS
Registration Code:
from middleware.cors_config import configure_cors
configure_cors(app)
Phase 5: Validate
Validation Steps:
- Syntax check:
.NET: dotnet build --no-restore
-
Python:
python -m py_compile middleware/cors_config.py -
CORS test:
# Test preflight request
curl -X OPTIONS http://localhost:5000/api/test \
-H "Origin: http://localhost:3000" \
-H "Access-Control-Request-Method: POST" \
-v
- Verify headers:
Access-Control-Allow-Origin: Should match request origin
-
Access-Control-Allow-Methods: Should list allowed methods -
Access-Control-Allow-Credentials: true (if enabled) -
Access-Control-Max-Age: Cache duration
Security Checklist
Before completing, verify:
No wildcard * origin in production
Explicit allowed methods (not AllowAnyMethod in prod)
Credentials only if needed
Origins from environment variables in production
Preflight caching enabled in production
Return to Coordinator
{
"status": "success",
"files_created": [
"Extensions/CorsExtensions.cs"
],
"packages_added": [],
"registration_code": "builder.Services.AddCorsPolicy(configuration);",
"message": "Configured CORS with Development and Production policies"
}
Reference Links
Version: 2.0.0 Last Updated: 2026-01-10