AI set up CORS so your frontend can call your API. It works, you shipped. What you actually shipped lets any website call your API with your users’ cookies attached.
What you shipped
The config sets origin: '*' together with credentials: true — meaning any site can make authenticated requests on your users’ behalf.
How anyone exploits it
A user visits evil.com while logged into your app. That page runs:
fetch('https://yourapi.com/me', { credentials: 'include' })
The browser sends your user’s cookies, your API allows the origin, and evil.com reads the response — the user’s private data, as them.
Why you won’t catch it
Your own frontend is an allowed origin (everything is), so all your testing works perfectly. The hole only matters when a different site makes the call.
Why AI does it
A wildcard origin is the fastest way to stop CORS errors during development. Pinning it to your real domain is the step that gets skipped once “it works.”
The fix
Name your exact origin(s); never combine * with credentials:
cors({ origin: 'https://yourapp.com', credentials: true })
Check your app
originis an explicit allowlist of your domains, never*when credentials are involved.- Only the methods and headers you need are allowed.
- Preflight responses don’t reflect arbitrary origins back.
The bigger problem
A senior dev catches this by reflex. But if nobody senior reads the code, the broken version ships — it works in every test, because every test takes the happy path. The author and the reviewer are the same model with the same blind spot.
That’s the gap Velify is built to close: it reads your project and flags exactly this, in plain language, no terminal.