ln-773-cors-configurator
npx machina-cli add skill levnikolaevich/claude-code-skills/ln-773-cors-configurator --openclawFiles (1)
SKILL.md
6.2 KB
ln-773-cors-configurator
Type: L3 Worker Category: 7XX Project Bootstrap Parent: ln-770-crosscutting-setup
Configures Cross-Origin Resource Sharing (CORS) policy with security-first approach.
Overview
| Aspect | Details |
|---|---|
| Input | Context Store from ln-770 |
| Output | CORS configuration with environment-specific policies |
| Stacks | .NET (ASP.NET Core CORS), Python (FastAPI CORSMiddleware) |
Phase 1: Receive Context
Accept Context Store from coordinator.
Required Context:
STACK: .NET or PythonPROJECT_ROOT: Project directory pathENVIRONMENT: Development or Production
Idempotency Check:
- .NET: Grep for
AddCorsorUseCors - Python: Grep for
CORSMiddleware - If found: Return
{ "status": "skipped" }
Phase 2: Analyze Project Structure
Determine frontend configuration.
Detection Steps:
- Check for frontend in same repository (
/frontend,/client,/web) - Read
.envorappsettings.jsonfor CORS_ORIGINS - Identify common frontend ports (3000, 5173, 4200)
Detected Frontend Origins:
| Framework | Default Port | Origin |
|---|---|---|
| React (CRA) | 3000 | http://localhost:3000 |
| Vite | 5173 | http://localhost:5173 |
| Angular | 4200 | http://localhost:4200 |
| Next.js | 3000 | http://localhost:3000 |
Phase 3: Decision Points
Q1: Allowed Origins
| Environment | Strategy |
|---|---|
| Development | Allow localhost origins (configurable) |
| Production | Explicit origins from environment variables only |
Security Warning: Never use * (wildcard) with credentials.
Q2: Allowed Methods
| Method | Default | Notes |
|---|---|---|
| GET | ✓ Yes | Read operations |
| POST | ✓ Yes | Create operations |
| PUT | ✓ Yes | Update operations |
| DELETE | ✓ Yes | Delete operations |
| PATCH | Optional | Partial updates |
| OPTIONS | ✓ Yes | Preflight requests (automatic) |
Q3: Credentials Support
| Scenario | AllowCredentials | Notes |
|---|---|---|
| Cookie-based auth | ✓ Yes | Required for cookies |
| JWT in header | ✗ No | Not needed |
| OAuth2 | Depends | Check documentation |
Warning: AllowCredentials = true prohibits * origin.
Q4: Preflight Cache Duration
| Environment | MaxAge | Rationale |
|---|---|---|
| Development | 0 | Immediate config changes |
| Production | 86400 (24h) | Reduce preflight requests |
Phase 4: Generate Configuration
.NET Output Files
| File | Purpose |
|---|---|
Extensions/CorsExtensions.cs | CORS service registration |
appsettings.json (update) | Origins configuration |
appsettings.Development.json (update) | Dev origins |
Generation Process:
- Use MCP ref for current ASP.NET Core CORS API
- Generate CorsExtensions with:
- Development policy (permissive)
- Production policy (restrictive)
- Environment-based policy selection
- Update appsettings with CORS:Origins
Registration Code:
builder.Services.AddCorsPolicy(builder.Configuration);
// ...
app.UseCors(builder.Environment.IsDevelopment() ? "Development" : "Production");
Python Output Files
| File | Purpose |
|---|---|
middleware/cors_config.py | CORS middleware configuration |
.env (update) | CORS_ORIGINS variable |
Generation Process:
- Use MCP ref for FastAPI CORSMiddleware
- Generate cors_config.py with:
- Origin parsing from environment
- Method and header configuration
- Credentials handling
- Update .env with CORS_ORIGINS
Registration Code:
from middleware.cors_config import configure_cors
configure_cors(app)
Phase 5: Validate
Validation Steps:
-
Syntax check:
- .NET:
dotnet build --no-restore - Python:
python -m py_compile middleware/cors_config.py
- .NET:
-
CORS test:
# Test preflight request curl -X OPTIONS http://localhost:5000/api/test \ -H "Origin: http://localhost:3000" \ -H "Access-Control-Request-Method: POST" \ -v -
Verify headers:
Access-Control-Allow-Origin: Should match request originAccess-Control-Allow-Methods: Should list allowed methodsAccess-Control-Allow-Credentials: true (if enabled)Access-Control-Max-Age: Cache duration
Security Checklist
Before completing, verify:
- No wildcard
*origin in production - Explicit allowed methods (not
AllowAnyMethodin prod) - Credentials only if needed
- Origins from environment variables in production
- Preflight caching enabled in production
Return to Coordinator
{
"status": "success",
"files_created": [
"Extensions/CorsExtensions.cs"
],
"packages_added": [],
"registration_code": "builder.Services.AddCorsPolicy(configuration);",
"message": "Configured CORS with Development and Production policies"
}
Reference Links
Critical Rules
- Never use wildcard
*origin with credentials — security violation per CORS spec - Production origins from environment variables only — no hardcoded URLs in code
- Separate Development and Production policies — permissive locally, restrictive in production
- Idempotent — if
AddCors/UseCorsorCORSMiddlewareexists, returnstatus: "skipped" - Enable preflight caching in Production — MaxAge 86400 (24h) to reduce OPTIONS requests
Definition of Done
- Context Store received (stack, project root, environment)
- Frontend origins detected (port/framework auto-detection)
- User decisions collected (origins, methods, credentials, cache duration)
- CORS configuration generated with environment-specific policies
- Security checklist verified (no wildcard + credentials, explicit methods, env-based origins)
- Syntax validated (
dotnet buildorpy_compile) - Structured JSON response returned to ln-770 coordinator
Version: 2.0.0 Last Updated: 2026-01-10
Source
git clone https://github.com/levnikolaevich/claude-code-skills/blob/master/ln-773-cors-configurator/SKILL.mdView on GitHub Overview
Configures Cross-Origin Resource Sharing (CORS) policy for development and production with a security-first approach. It consumes the Context Store from ln-770 and outputs environment-specific policies for either .NET (ASP.NET Core) or Python (FastAPI CORSMiddleware).
How This Skill Works
Phase-based workflow: it receives Context (STACK, PROJECT_ROOT, ENVIRONMENT), analyzes the project structure to detect frontend origins and configuration files, then applies decision points to produce a pair of policies (Development and Production). It generates framework-specific files (Extensions/CorsExtensions.cs and appsettings.json for .NET; middleware/cors_config.py and .env for Python) and wires up the registration code.
When to Use It
- Configure a .NET Core API to allow a frontend running on localhost:3000 or 5173 during development.
- Enforce explicit CORS origins from environment variables in production to replace wildcard origins.
- Enable credentials handling for cookie-based or token-based auth without exposing '*' origins.
- Set distinct preflight max-age: 0 for development and 86400 for production to optimize requests.
- Auto-generate and wire CORS configuration files and register policies in either .NET or Python projects.
Quick Start
- Step 1: Receive Context from coordinator (STACK, PROJECT_ROOT, ENVIRONMENT).
- Step 2: Analyze repository for frontend and read env/config to detect CORS origins.
- Step 3: Generate and wire up CORS configuration for .NET or Python and update the relevant files.
Best Practices
- Prefer environment-derived origins in production and avoid '*' with credentials.
- Detect frontend origins automatically when possible (CRA, Vite, Angular, Next).
- Keep development policy permissive but scoped, not globally open.
- Keep policy selection behind a central extension or middleware registration.
- Validate changes with a local build and test preflight requests.
Example Use Cases
- Monorepo with ASP.NET Core backend and CRA frontend in /frontend
- FastAPI API with CORSMiddleware configured via cors_config.py
- Production deployment using explicit CORS_ORIGINS env var and appsettings updates
- Development workflow where changes to CORS config are picked up without recompiling
- Template for adding CORS to new projects via CI PRs
Frequently Asked Questions
Add this skill to your agents
