eliferjunior/cors
.claude/skills/ts-cors/SKILL.md
Configure CORS for web APIs. Use when a user asks to fix CORS errors, allow cross-origin requests, configure CORS headers, handle preflight requests, or secure API access from different domains.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add eliferjunior/Claude corsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 1:28 AM10.9s1 file scanned
SKILL.md
- name:
- cors
- description:
- >-
- license:
- Apache-2.0
- compatibility:
- Express, Fastify, Next.js, any HTTP server
- author:
- terminal-skills
- version:
- 1.0.0
- category:
- devops
CORS (Cross-Origin Resource Sharing)
Overview
CORS controls which websites can call your API from a browser. Without proper CORS headers, browsers block cross-origin requests. Misconfigured CORS is either too restrictive (breaks your frontend) or too permissive (security risk). This skill covers correct configuration for common setups.
Instructions
Step 1: Express
// server.ts — CORS configuration for Express
import cors from 'cors'
import express from 'express'
const app = express()
// Production: whitelist specific origins
const allowedOrigins = [
'https://myapp.com',
'https://admin.myapp.com',
process.env.NODE_ENV === 'development' && 'http://localhost:3000',
].filter(Boolean) as string[]
app.use(cors({
origin: (origin, callback) => {
// Allow requests with no origin (mobile apps, curl, server-to-server)
if (!origin) return callback(null, true)
if (allowedOrigins.includes(origin)) return callback(null, true)
callback(new Error(`Origin ${origin} not allowed by CORS`))
},
credentials: true, // allow cookies/auth headers
methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
allowedHeaders: ['Content-Type', 'Authorization'],
maxAge: 86400, // cache preflight for 24h
}))
Step 2: Next.js API Routes
// next.config.ts — CORS via Next.js headers
const nextConfig = {
async headers() {
return [
{
source: '/api/:path*',
headers: [
{ key: 'Access-Control-Allow-Origin', value: 'https://myapp.com' },
{ key: 'Access-Control-Allow-Methods', value: 'GET,POST,PUT,DELETE,OPTIONS' },
{ key: 'Access-Control-Allow-Headers', value: 'Content-Type, Authorization' },
{ key: 'Access-Control-Allow-Credentials', value: 'true' },
{ key: 'Access-Control-Max-Age', value: '86400' },
],
},
]
},
}
Step 3: Manual Headers (Any Framework)
// middleware.ts — Manual CORS for any HTTP server
export function corsMiddleware(req, res, next) {
const origin = req.headers.origin
const allowed = ['https://myapp.com', 'https://admin.myapp.com']
if (allowed.includes(origin)) {
res.setHeader('Access-Control-Allow-Origin', origin)
res.setHeader('Access-Control-Allow-Credentials', 'true')
}
// Handle preflight (OPTIONS) requests
if (req.method === 'OPTIONS') {
res.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE')
res.setHeader('Access-Control-Allow-Headers', 'Content-Type,Authorization')
res.setHeader('Access-Control-Max-Age', '86400')
return res.status(204).end()
}
next()
}
Guidelines
- NEVER use
Access-Control-Allow-Origin: *withcredentials: true— browsers reject this. *origin is only safe for truly public APIs with no authentication.- Always set
Access-Control-Max-Ageto cache preflight responses (reduces OPTIONS requests). - CORS only applies to browser requests — server-to-server calls ignore CORS entirely.
- If using cookies across domains, also set
SameSite=None; Secureon cookies.
Related Skills
eliferjunior/fireworks-ai
development
VerifiedTrustedCommunity
Expert guidance for Fireworks AI, the platform for running open-source LLMs (Llama, Mixtral, Qwen, etc.) with enterprise-grade speed and reliability. Helps developers integrate Fireworks' inference API, fine-tune models, and deploy custom model endpoints with function calling and structured output support.
SKILL.mdUpdated Apr 17, 2026
eliferjunior/firecrawl
development
VerifiedTrustedCommunity
Convert any website into clean, structured data with Firecrawl — API-first web scraping service. Use when someone asks to "turn a website into markdown", "scrape website for LLM", "Firecrawl", "extract website content as clean text", "crawl and convert to structured data", or "scrape website for RAG". Covers single-page scraping, full-site crawling, structured extraction, and LLM-ready output.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/firebase
tools
VerifiedTrustedCommunity
Expert guidance for Firebase, Google's platform for building and scaling web and mobile applications. Helps developers set up authentication, Firestore/Realtime Database, Cloud Functions, hosting, storage, and analytics using Firebase's SDK and CLI.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/file-upload-processor
development
VerifiedTrustedCommunity
When the user needs to build file upload functionality for a web application. Use when the user mentions "file upload," "image upload," "upload endpoint," "multipart upload," "presigned URL," "S3 upload," "file validation," "upload to cloud storage," or "accept user files." Handles upload endpoints, file validation (type, size, magic bytes), cloud storage integration, and upload status tracking. For image/video processing after upload, see media-transcoder.
SKILL.mdUpdated Apr 16, 2026