Claude-code-skills ln-773-cors-configurator

Configures CORS policy for development and production environments. Use when setting up cross-origin access for APIs.

install

source · Clone the upstream repo

git clone https://github.com/levnikolaevich/claude-code-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/levnikolaevich/claude-code-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills-catalog/ln-773-cors-configurator" ~/.claude/skills/levnikolaevich-claude-code-skills-ln-773-cors-configurator && rm -rf "$T"

manifest: skills-catalog/ln-773-cors-configurator/SKILL.md

source content

ln-773-cors-configurator

Type: L3 Worker Category: 7XX Project Bootstrap

Configures Cross-Origin Resource Sharing (CORS) policy with security-first approach.

Overview

Aspect	Details
Input	Context Store from ln-770
Output	CORS configuration with environment-specific policies
Stacks	.NET (ASP.NET Core CORS), Python (FastAPI CORSMiddleware)

Phase 1: Receive Context

Accept Context Store from coordinator.

Required Context:

```
STACK
```
: .NET or Python
```
PROJECT_ROOT
```
: Project directory path
```
ENVIRONMENT
```
: Development or Production

Idempotency Check:

.NET: Grep for
```
AddCors
```
or
```
UseCors
```
Python: Grep for
```
CORSMiddleware
```
If found: Return
```
{ "status": "skipped" }
```

Phase 2: Analyze Project Structure

Determine frontend configuration.

Detection Steps:

Check for frontend in same repository (
```
/frontend
```
,
```
/client
```
,
```
/web
```
)
Read
```
.env
```
or
```
appsettings.json
```
for CORS_ORIGINS
Identify common frontend ports (3000, 5173, 4200)

Detected Frontend Origins:

Framework	Default Port	Origin
React (CRA)	3000	http://localhost:3000
Vite	5173	http://localhost:5173
Angular	4200	http://localhost:4200
Next.js	3000	http://localhost:3000

Phase 3: Decision Points

Q1: Allowed Origins

Environment	Strategy
Development	Allow localhost origins (configurable)
Production	Explicit origins from environment variables only

Security Warning: Never use

(wildcard) with credentials.

Q2: Allowed Methods

Method	Default	Notes
GET	✓ Yes	Read operations
POST	✓ Yes	Create operations
PUT	✓ Yes	Update operations
DELETE	✓ Yes	Delete operations
PATCH	Optional	Partial updates
OPTIONS	✓ Yes	Preflight requests (automatic)

Q3: Credentials Support

Scenario	AllowCredentials	Notes
Cookie-based auth	✓ Yes	Required for cookies
JWT in header	✗ No	Not needed
OAuth2	Depends	Check documentation

Warning: AllowCredentials = true prohibits

origin.

Q4: Preflight Cache Duration

Environment	MaxAge	Rationale
Development	0	Immediate config changes
Production	86400 (24h)	Reduce preflight requests

Phase 4: Generate Configuration

.NET Output Files

File	Purpose
`Extensions/CorsExtensions.cs`	CORS service registration
`appsettings.json` (update)	Origins configuration
`appsettings.Development.json` (update)	Dev origins

Generation Process:

Use MCP ref for current ASP.NET Core CORS API
Generate CorsExtensions with:
- Development policy (permissive)
- Production policy (restrictive)
- Environment-based policy selection
Update appsettings with CORS:Origins

Registration Code:

builder.Services.AddCorsPolicy(builder.Configuration);
// ...
app.UseCors(builder.Environment.IsDevelopment() ? "Development" : "Production");

Python Output Files

File	Purpose
`middleware/cors_config.py`	CORS middleware configuration
`.env` (update)	CORS_ORIGINS variable

Generation Process:

Use MCP ref for FastAPI CORSMiddleware
Generate cors_config.py with:
- Origin parsing from environment
- Method and header configuration
- Credentials handling
Update .env with CORS_ORIGINS

Registration Code:

from middleware.cors_config import configure_cors
configure_cors(app)

Phase 5: Validate

Validation Steps:

Syntax check:

.NET:
```
dotnet build --no-restore
```

Python:

python -m py_compile middleware/cors_config.py

CORS test:

# Test preflight request
curl -X OPTIONS http://localhost:5000/api/test \
  -H "Origin: http://localhost:3000" \
  -H "Access-Control-Request-Method: POST" \
  -v

Verify headers:

```
Access-Control-Allow-Origin
```
: Should match request origin
```
Access-Control-Allow-Methods
```
: Should list allowed methods
```
Access-Control-Allow-Credentials
```
: true (if enabled)
```
Access-Control-Max-Age
```
: Cache duration

Security Checklist

Before completing, verify:

No wildcard
```
*
```
origin in production
Explicit allowed methods (not
```
AllowAnyMethod
```
in prod)
Credentials only if needed
Origins from environment variables in production
Preflight caching enabled in production

Return to Coordinator

{
  "status": "success",
  "files_created": [
    "Extensions/CorsExtensions.cs"
  ],
  "packages_added": [],
  "registration_code": "builder.Services.AddCorsPolicy(configuration);",
  "message": "Configured CORS with Development and Production policies"
}

Reference Links

Critical Rules

Never use wildcard
*
origin with credentials — security violation per CORS spec
Production origins from environment variables only — no hardcoded URLs in code
Separate Development and Production policies — permissive locally, restrictive in production

Idempotent — if

AddCors

UseCors

CORSMiddleware

exists, return

status: "skipped"

Enable preflight caching in Production — MaxAge 86400 (24h) to reduce OPTIONS requests

Definition of Done

Context Store received (stack, project root, environment)
Frontend origins detected (port/framework auto-detection)
User decisions collected (origins, methods, credentials, cache duration)
CORS configuration generated with environment-specific policies
Security checklist verified (no wildcard + credentials, explicit methods, env-based origins)
Syntax validated (
```
dotnet build
```
or
```
py_compile
```
)
Structured JSON response returned to ln-770 coordinator

Version: 2.0.0 Last Updated: 2026-01-10