Claude Code Plugins

Community-maintained marketplace

Feedback

ln-773-cors-configurator

@levnikolaevich/claude-code-skills
25
0

Configures CORS policy for development and production

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name ln-773-cors-configurator
description Configures CORS policy for development and production

ln-773-cors-configurator

Type: L3 Worker Category: 7XX Project Bootstrap Parent: ln-770-crosscutting-setup

Configures Cross-Origin Resource Sharing (CORS) policy with security-first approach.

Overview

Aspect Details
Input Context Store from ln-770
Output CORS configuration with environment-specific policies
Stacks .NET (ASP.NET Core CORS), Python (FastAPI CORSMiddleware)

Phase 1: Receive Context

Accept Context Store from coordinator.

Required Context:

  • STACK: .NET or Python
  • PROJECT_ROOT: Project directory path
  • ENVIRONMENT: Development or Production

Idempotency Check:

  • .NET: Grep for AddCors or UseCors
  • Python: Grep for CORSMiddleware
  • If found: Return { "status": "skipped" }

Phase 2: Analyze Project Structure

Determine frontend configuration.

Detection Steps:

  1. Check for frontend in same repository (/frontend, /client, /web)
  2. Read .env or appsettings.json for CORS_ORIGINS
  3. Identify common frontend ports (3000, 5173, 4200)

Detected Frontend Origins:

Framework Default Port Origin
React (CRA) 3000 http://localhost:3000
Vite 5173 http://localhost:5173
Angular 4200 http://localhost:4200
Next.js 3000 http://localhost:3000

Phase 3: Decision Points

Q1: Allowed Origins

Environment Strategy
Development Allow localhost origins (configurable)
Production Explicit origins from environment variables only

Security Warning: Never use * (wildcard) with credentials.

Q2: Allowed Methods

Method Default Notes
GET ✓ Yes Read operations
POST ✓ Yes Create operations
PUT ✓ Yes Update operations
DELETE ✓ Yes Delete operations
PATCH Optional Partial updates
OPTIONS ✓ Yes Preflight requests (automatic)

Q3: Credentials Support

Scenario AllowCredentials Notes
Cookie-based auth ✓ Yes Required for cookies
JWT in header ✗ No Not needed
OAuth2 Depends Check documentation

Warning: AllowCredentials = true prohibits * origin.

Q4: Preflight Cache Duration

Environment MaxAge Rationale
Development 0 Immediate config changes
Production 86400 (24h) Reduce preflight requests

Phase 4: Generate Configuration

.NET Output Files

File Purpose
Extensions/CorsExtensions.cs CORS service registration
appsettings.json (update) Origins configuration
appsettings.Development.json (update) Dev origins

Generation Process:

  1. Use MCP ref for current ASP.NET Core CORS API
  2. Generate CorsExtensions with:
    • Development policy (permissive)
    • Production policy (restrictive)
    • Environment-based policy selection
  3. Update appsettings with CORS:Origins

Registration Code:

builder.Services.AddCorsPolicy(builder.Configuration);
// ...
app.UseCors(builder.Environment.IsDevelopment() ? "Development" : "Production");

Python Output Files

File Purpose
middleware/cors_config.py CORS middleware configuration
.env (update) CORS_ORIGINS variable

Generation Process:

  1. Use MCP ref for FastAPI CORSMiddleware
  2. Generate cors_config.py with:
    • Origin parsing from environment
    • Method and header configuration
    • Credentials handling
  3. Update .env with CORS_ORIGINS

Registration Code:

from middleware.cors_config import configure_cors
configure_cors(app)

Phase 5: Validate

Validation Steps:

  1. Syntax check:

    • .NET: dotnet build --no-restore
    • Python: python -m py_compile middleware/cors_config.py

  2. CORS test:

    # Test preflight request
curl -X OPTIONS http://localhost:5000/api/test \
  -H "Origin: http://localhost:3000" \
  -H "Access-Control-Request-Method: POST" \
  -v

  3. Verify headers:

    • Access-Control-Allow-Origin: Should match request origin
    • Access-Control-Allow-Methods: Should list allowed methods
    • Access-Control-Allow-Credentials: true (if enabled)
    • Access-Control-Max-Age: Cache duration

Security Checklist

Before completing, verify:

  • No wildcard * origin in production
  • Explicit allowed methods (not AllowAnyMethod in prod)
  • Credentials only if needed
  • Origins from environment variables in production
  • Preflight caching enabled in production

Return to Coordinator

{
  "status": "success",
  "files_created": [
    "Extensions/CorsExtensions.cs"
  ],
  "packages_added": [],
  "registration_code": "builder.Services.AddCorsPolicy(configuration);",
  "message": "Configured CORS with Development and Production policies"
}

Reference Links

Version: 2.0.0 Last Updated: 2026-01-10