{
  "instruction": "Configure CORS with explicit allowed origins, not wildcard",
  "relevant_when": "Agent creates or modifies an ASP.NET Core application, adds endpoints to an ASP.NET Core app, or sets up an ASP.NET Core project",
  "context": "Every ASP.NET Core app accessed from a browser needs CORS configured with explicit origins. Using AllowAnyOrigin() allows any origin. Using SetIsOriginAllowed(_ => true) is even worse when combined with AllowCredentials(). Always configure explicit allowed origins from configuration or environment variables.",
  "sources": [
    {
      "type": "file",
      "filename": "skills/aspnet-security-basics/SKILL.md",
      "tile": "tessl-labs/aspnet-security-basics@0.2.0"
    }
  ],
  "checklist": [
    {
      "name": "cors-not-wildcard",
      "rule": "Agent does not use AllowAnyOrigin() or SetIsOriginAllowed(_ => true) in production CORS configuration",
      "relevant_when": "Agent creates or modifies an ASP.NET Core application"
    },
    {
      "name": "cors-explicit-origins",
      "rule": "Agent configures CORS with specific allowed origins from configuration (e.g., builder.Configuration.GetSection or WithOrigins with config values)",
      "relevant_when": "Agent creates or modifies an ASP.NET Core application"
    },
    {
      "name": "cors-methods-restricted",
      "rule": "Agent specifies allowed HTTP methods with WithMethods() rather than using AllowAnyMethod()",
      "relevant_when": "Agent creates or modifies an ASP.NET Core application"
    }
  ]
}

evals

skills

verifiers

authentication-configured.json

cors-configured.json

https-enforced.json

input-validation-added.json

rate-limiting-configured.json

security-headers-added.json

tile.json

tessl-labs/aspnet-security-basics

cors-configured.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}verifiers/

cors-configured.jsonverifiers/