ln-773-cors-configurator
Type: L3 Worker Category: 7XX Project Bootstrap Parent: ln-770-crosscutting-setup
Configures Cross-Origin Resource Sharing (CORS) policy with security-first approach.
Overview
| Aspect | Details |
|---|---|
| Input | Context Store from ln-770 |
| Output | CORS configuration with environment-specific policies |
| Stacks | .NET (ASP.NET Core CORS), Python (FastAPI CORSMiddleware) |
Phase 1: Receive Context
Accept Context Store from coordinator.
Required Context:
STACK: .NET or PythonPROJECT_ROOT: Project directory pathENVIRONMENT: Development or Production
Idempotency Check:
- .NET: Grep for
AddCorsorUseCors - Python: Grep for
CORSMiddleware - If found: Return
{ "status": "skipped" }
Phase 2: Analyze Project Structure
Determine frontend configuration.
Detection Steps:
- Check for frontend in same repository (
/frontend,/client,/web) - Read
.envorappsettings.jsonfor CORS_ORIGINS - Identify common frontend ports (3000, 5173, 4200)
Detected Frontend Origins:
| Framework | Default Port | Origin |
|---|---|---|
| React (CRA) | 3000 | http://localhost:3000 |
| Vite | 5173 | http://localhost:5173 |
| Angular | 4200 | http://localhost:4200 |
| Next.js | 3000 | http://localhost:3000 |
Phase 3: Decision Points
Q1: Allowed Origins
| Environment | Strategy |
|---|---|
| Development | Allow localhost origins (configurable) |
| Production | Explicit origins from environment variables only |
Security Warning: Never use * (wildcard) with credentials.
Q2: Allowed Methods
| Method | Default | Notes |
|---|---|---|
| GET | ✓ Yes | Read operations |
| POST | ✓ Yes | Create operations |
| PUT | ✓ Yes | Update operations |
| DELETE | ✓ Yes | Delete operations |
| PATCH | Optional | Partial updates |
| OPTIONS | ✓ Yes | Preflight requests (automatic) |
Q3: Credentials Support
| Scenario | AllowCredentials | Notes |
|---|---|---|
| Cookie-based auth | ✓ Yes | Required for cookies |
| JWT in header | ✗ No | Not needed |
| OAuth2 | Depends | Check documentation |
Warning: AllowCredentials = true prohibits * origin.
Q4: Preflight Cache Duration
| Environment | MaxAge | Rationale |
|---|---|---|
| Development | 0 | Immediate config changes |
| Production | 86400 (24h) | Reduce preflight requests |
Phase 4: Generate Configuration
.NET Output Files
| File | Purpose |
|---|---|
Extensions/CorsExtensions.cs | CORS service registration |
appsettings.json (update) | Origins configuration |
appsettings.Development.json (update) | Dev origins |
Generation Process:
- Use MCP ref for current ASP.NET Core CORS API
- Generate CorsExtensions with:
- Development policy (permissive)
- Production policy (restrictive)
- Environment-based policy selection
- Update appsettings with CORS:Origins
Registration Code:
builder.Services.AddCorsPolicy(builder.Configuration);
// ...
app.UseCors(builder.Environment.IsDevelopment() ? "Development" : "Production");
Python Output Files
| File | Purpose |
|---|---|
middleware/cors_config.py | CORS middleware configuration |
.env (update) | CORS_ORIGINS variable |
Generation Process:
- Use MCP ref for FastAPI CORSMiddleware
- Generate cors_config.py with:
- Origin parsing from environment
- Method and header configuration
- Credentials handling
- Update .env with CORS_ORIGINS
Registration Code:
from middleware.cors_config import configure_cors
configure_cors(app)
Phase 5: Validate
Validation Steps:
-
Syntax check:
- .NET:
dotnet build --no-restore - Python:
python -m py_compile middleware/cors_config.py
- .NET:
-
CORS test:
# Test preflight request curl -X OPTIONS http://localhost:5000/api/test \ -H "Origin: http://localhost:3000" \ -H "Access-Control-Request-Method: POST" \ -v -
Verify headers:
Access-Control-Allow-Origin: Should match request originAccess-Control-Allow-Methods: Should list allowed methodsAccess-Control-Allow-Credentials: true (if enabled)Access-Control-Max-Age: Cache duration
Security Checklist
Before completing, verify:
- No wildcard
*origin in production - Explicit allowed methods (not
AllowAnyMethodin prod) - Credentials only if needed
- Origins from environment variables in production
- Preflight caching enabled in production
Return to Coordinator
{
"status": "success",
"files_created": [
"Extensions/CorsExtensions.cs"
],
"packages_added": [],
"registration_code": "builder.Services.AddCorsPolicy(configuration);",
"message": "Configured CORS with Development and Production policies"
}
Reference Links
Critical Rules
- Never use wildcard
*origin with credentials — security violation per CORS spec - Production origins from environment variables only — no hardcoded URLs in code
- Separate Development and Production policies — permissive locally, restrictive in production
- Idempotent — if
AddCors/UseCorsorCORSMiddlewareexists, returnstatus: "skipped" - Enable preflight caching in Production — MaxAge 86400 (24h) to reduce OPTIONS requests
Definition of Done
- Context Store received (stack, project root, environment)
- Frontend origins detected (port/framework auto-detection)
- User decisions collected (origins, methods, credentials, cache duration)
- CORS configuration generated with environment-specific policies
- Security checklist verified (no wildcard + credentials, explicit methods, env-based origins)
- Syntax validated (
dotnet buildorpy_compile) - Structured JSON response returned to ln-770 coordinator
Version: 2.0.0 Last Updated: 2026-01-10