ln-773-cors-configurator
Configures CORS policy for development and production environments. Use when setting up cross-origin access for APIs.
Best use case
ln-773-cors-configurator is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configures CORS policy for development and production environments. Use when setting up cross-origin access for APIs.
Teams using ln-773-cors-configurator should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/ln-773-cors-configurator/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How ln-773-cors-configurator Compares
| Feature / Agent | ln-773-cors-configurator | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configures CORS policy for development and production environments. Use when setting up cross-origin access for APIs.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# ln-773-cors-configurator
**Type:** L3 Worker
**Category:** 7XX Project Bootstrap
Configures Cross-Origin Resource Sharing (CORS) policy with security-first approach.
---
## Overview
| Aspect | Details |
|--------|---------|
| **Input** | Context Store from ln-770 |
| **Output** | CORS configuration with environment-specific policies |
| **Stacks** | .NET (ASP.NET Core CORS), Python (FastAPI CORSMiddleware) |
---
## Phase 1: Receive Context
Accept Context Store from coordinator.
**Required Context:**
- `STACK`: .NET or Python
- `PROJECT_ROOT`: Project directory path
- `ENVIRONMENT`: Development or Production
**Idempotency Check:**
- .NET: Grep for `AddCors` or `UseCors`
- Python: Grep for `CORSMiddleware`
- If found: Return `{ "status": "skipped" }`
---
## Phase 2: Analyze Project Structure
Determine frontend configuration.
**Detection Steps:**
1. Check for frontend in same repository (`/frontend`, `/client`, `/web`)
2. Read `.env` or `appsettings.json` for CORS_ORIGINS
3. Identify common frontend ports (3000, 5173, 4200)
**Detected Frontend Origins:**
| Framework | Default Port | Origin |
|-----------|--------------|--------|
| React (CRA) | 3000 | http://localhost:3000 |
| Vite | 5173 | http://localhost:5173 |
| Angular | 4200 | http://localhost:4200 |
| Next.js | 3000 | http://localhost:3000 |
---
## Phase 3: Decision Points
### Q1: Allowed Origins
| Environment | Strategy |
|-------------|----------|
| **Development** | Allow localhost origins (configurable) |
| **Production** | Explicit origins from environment variables only |
**Security Warning:** Never use `*` (wildcard) with credentials.
### Q2: Allowed Methods
| Method | Default | Notes |
|--------|---------|-------|
| GET | ✓ Yes | Read operations |
| POST | ✓ Yes | Create operations |
| PUT | ✓ Yes | Update operations |
| DELETE | ✓ Yes | Delete operations |
| PATCH | Optional | Partial updates |
| OPTIONS | ✓ Yes | Preflight requests (automatic) |
### Q3: Credentials Support
| Scenario | AllowCredentials | Notes |
|----------|------------------|-------|
| Cookie-based auth | ✓ Yes | Required for cookies |
| JWT in header | ✗ No | Not needed |
| OAuth2 | Depends | Check documentation |
**Warning:** AllowCredentials = true prohibits `*` origin.
### Q4: Preflight Cache Duration
| Environment | MaxAge | Rationale |
|-------------|--------|-----------|
| Development | 0 | Immediate config changes |
| Production | 86400 (24h) | Reduce preflight requests |
---
## Phase 4: Generate Configuration
### .NET Output Files
| File | Purpose |
|------|---------|
| `Extensions/CorsExtensions.cs` | CORS service registration |
| `appsettings.json` (update) | Origins configuration |
| `appsettings.Development.json` (update) | Dev origins |
**Generation Process:**
1. Use MCP ref for current ASP.NET Core CORS API
2. Generate CorsExtensions with:
- Development policy (permissive)
- Production policy (restrictive)
- Environment-based policy selection
3. Update appsettings with CORS:Origins
**Registration Code:**
```csharp
builder.Services.AddCorsPolicy(builder.Configuration);
// ...
app.UseCors(builder.Environment.IsDevelopment() ? "Development" : "Production");
```
### Python Output Files
| File | Purpose |
|------|---------|
| `middleware/cors_config.py` | CORS middleware configuration |
| `.env` (update) | CORS_ORIGINS variable |
**Generation Process:**
1. Use MCP ref for FastAPI CORSMiddleware
2. Generate cors_config.py with:
- Origin parsing from environment
- Method and header configuration
- Credentials handling
3. Update .env with CORS_ORIGINS
**Registration Code:**
```python
from middleware.cors_config import configure_cors
configure_cors(app)
```
---
## Phase 5: Validate
**Validation Steps:**
1. **Syntax check:**
- .NET: `dotnet build --no-restore`
- Python: `python -m py_compile middleware/cors_config.py`
2. **CORS test:**
```bash
# Test preflight request
curl -X OPTIONS http://localhost:5000/api/test \
-H "Origin: http://localhost:3000" \
-H "Access-Control-Request-Method: POST" \
-v
```
3. **Verify headers:**
- `Access-Control-Allow-Origin`: Should match request origin
- `Access-Control-Allow-Methods`: Should list allowed methods
- `Access-Control-Allow-Credentials`: true (if enabled)
- `Access-Control-Max-Age`: Cache duration
---
## Security Checklist
Before completing, verify:
- [ ] No wildcard `*` origin in production
- [ ] Explicit allowed methods (not `AllowAnyMethod` in prod)
- [ ] Credentials only if needed
- [ ] Origins from environment variables in production
- [ ] Preflight caching enabled in production
---
## Return to Coordinator
```json
{
"status": "success",
"files_created": [
"Extensions/CorsExtensions.cs"
],
"packages_added": [],
"registration_code": "builder.Services.AddCorsPolicy(configuration);",
"message": "Configured CORS with Development and Production policies"
}
```
---
## Reference Links
- [ASP.NET Core CORS](https://learn.microsoft.com/aspnet/core/security/cors)
- [FastAPI CORS](https://fastapi.tiangolo.com/tutorial/cors/)
- [MDN CORS](https://developer.mozilla.org/docs/Web/HTTP/CORS)
---
## Critical Rules
- **Never use wildcard `*` origin with credentials** — security violation per CORS spec
- **Production origins from environment variables only** — no hardcoded URLs in code
- **Separate Development and Production policies** — permissive locally, restrictive in production
- **Idempotent** — if `AddCors`/`UseCors` or `CORSMiddleware` exists, return `status: "skipped"`
- **Enable preflight caching in Production** — MaxAge 86400 (24h) to reduce OPTIONS requests
## Definition of Done
- [ ] Context Store received (stack, project root, environment)
- [ ] Frontend origins detected (port/framework auto-detection)
- [ ] User decisions collected (origins, methods, credentials, cache duration)
- [ ] CORS configuration generated with environment-specific policies
- [ ] Security checklist verified (no wildcard + credentials, explicit methods, env-based origins)
- [ ] Syntax validated (`dotnet build` or `py_compile`)
- [ ] Structured JSON response returned to ln-770 coordinator
---
**Version:** 2.0.0
**Last Updated:** 2026-01-10Related Skills
ln-771-logging-configurator
Configures structured JSON logging with Serilog (.NET) or structlog (Python). Use when adding logging to backend projects.
ln-741-linter-configurator
Configures ESLint, Prettier, Ruff, mypy, and .NET analyzers. Use when setting up linting and formatting for a project.
ln-733-env-configurator
Configures environment variables and secrets protection. Use when setting up .env files and gitignore rules for a project.
ln-012-mcp-configurator
Installs MCP packages, registers servers in Claude Code, configures hooks, permissions, and migrations. Use when MCP needs setup or reconfiguration.
ln-914-community-responder
Responds to unanswered GitHub discussions and issues with codebase-informed replies. Use when clearing community question backlog.
ln-913-community-debater
Launches RFC and debate discussions on GitHub. Use when proposing changes that need community input or voting.
ln-912-community-announcer
Composes and publishes announcements to GitHub Discussions. Use when sharing releases, updates, or news with the community.
ln-911-github-triager
Produces prioritized triage report from open GitHub issues, PRs, and discussions. Use when reviewing community backlog.
ln-910-community-engagement
Analyzes community health and delegates engagement tasks. Use when managing GitHub issues, discussions, and announcements.
ln-840-benchmark-compare
Runs built-in vs hex-line benchmark with scenario manifests, activation checks, and diff-based correctness. Use when measuring hex-line MCP performance against built-in tools.
ln-832-bundle-optimizer
Reduces JS/TS bundle size via tree-shaking, code splitting, and unused dependency removal. Use when optimizing frontend bundle size.
ln-831-oss-replacer
Replaces custom modules with OSS packages using atomic keep/discard testing. Use when migrating custom code to established libraries.