CORS Configuration

CORS is a browser enforcement mechanism. It doesn't protect your API from non-browser clients (curl, server-to-server) — it prevents other websites from making credentialed requests on behalf of your users.

A misconfigured CORS policy is a security boundary failure, not just a developer inconvenience.

The Critical Mistake: Credentials + Wildcard

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

Browsers reject this combination — but some servers approximate it unsafely: