---

name: ln-773-cors-configurator description: Configures CORS policy for development and production

ln-773-cors-configurator

Type: L3 Worker Category: 7XX Project Bootstrap Parent: ln-770-crosscutting-setup

Configures Cross-Origin Resource Sharing (CORS) policy with security-first approach.

---

Overview

---

Phase 1: Receive Context

Accept Context Store from coordinator.

Required Context:

• STACK: .NET or Python
• PROJECT_ROOT: Project directory path
• ENVIRONMENT: Development or Production

Idempotency Check:

• .NET: Grep for AddCors or UseCors
• Python: Grep for CORSMiddleware
• If found: Return { "status": "skipped" }

---

Phase 2: Analyze Project Structure

Determine frontend configuration.

Detection Steps:

1. Check for frontend in same repository (/frontend, /client, /web)
2. Read .env or appsettings.json for CORS_ORIGINS
3. Identify common frontend ports (3000, 5173, 4200)

Detected Frontend Origins:

---

Phase 3: Decision Points

Q1: Allowed Origins

Security Warning: Never use * (wildcard) with credentials.

Q2: Allowed Methods

Q3: Credentials Support

Warning: AllowCredentials = true prohibits * origin.

Q4: Preflight Cache Duration

---

Phase 4: Generate Configuration

.NET Output Files

Generation Process:

1. Use MCP ref for current ASP.NET Core CORS API
2. Generate CorsExtensions with:
   • Development policy (permissive)
   • Production policy (restrictive)
   • Environment-based policy selection
3. Update appsettings with CORS:Origins

Registration Code:

Copybuilder.Services.AddCorsPolicy(builder.Configuration);
// ...
app.UseCors(builder.Environment.IsDevelopment() ? "Development" : "Production");

Python Output Files

Generation Process:

1. Use MCP ref for FastAPI CORSMiddleware
2. Generate cors_config.py with:
   • Origin parsing from environment
   • Method and header configuration
   • Credentials handling
3. Update .env with CORS_ORIGINS

Registration Code:

Copyfrom middleware.cors_config import configure_cors
configure_cors(app)

---

Phase 5: Validate

Validation Steps:

1. Syntax check:

   • .NET: dotnet build --no-restore
   • Python: python -m py_compile middleware/cors_config.py

2. CORS test:

   Copy# Test preflight request
   curl -X OPTIONS http://localhost:5000/api/test \
     -H "Origin: http://localhost:3000" \
     -H "Access-Control-Request-Method: POST" \
     -v
   

3. Verify headers:

   • Access-Control-Allow-Origin: Should match request origin
   • Access-Control-Allow-Methods: Should list allowed methods
   • Access-Control-Allow-Credentials: true (if enabled)
   • Access-Control-Max-Age: Cache duration

---

Security Checklist

Before completing, verify:

• No wildcard * origin in production
• Explicit allowed methods (not AllowAnyMethod in prod)
• Credentials only if needed
• Origins from environment variables in production
• Preflight caching enabled in production

---

Return to Coordinator

Copy{
  "status": "success",
  "files_created": [
    "Extensions/CorsExtensions.cs"
  ],
  "packages_added": [],
  "registration_code": "builder.Services.AddCorsPolicy(configuration);",
  "message": "Configured CORS with Development and Production policies"
}

---

Reference Links

• ASP.NET Core CORS
• FastAPI CORS
• MDN CORS

---

Version: 2.0.0 Last Updated: 2026-01-10