{
  "instruction": "Configure CORS with explicit allowed origins, not wildcard",
  "relevant_when": "Agent creates or modifies an Express application, adds routes to an Express app, or sets up an Express project",
  "context": "Every Express app that will be accessed from a browser needs CORS configured with explicit origins. Using cors() with no arguments allows any origin (Access-Control-Allow-Origin: *). Using origin: true reflects any request origin, which is dangerous with credentials. Always configure explicit allowed origins from environment variables.",
  "sources": [
    {
      "type": "file",
      "filename": "skills/express-security-basics/SKILL.md",
      "tile": "tessl-labs/express-security-basics@0.2.0"
    }
  ],
  "checklist": [
    {
      "name": "cors-not-wildcard",
      "rule": "Agent does not use cors() with no arguments, origin: '*', or origin: true in production config",
      "relevant_when": "Agent creates or modifies an Express application"
    },
    {
      "name": "cors-explicit-origins",
      "rule": "Agent configures CORS with specific allowed origins from environment variables or config (e.g., process.env.ALLOWED_ORIGINS)",
      "relevant_when": "Agent creates or modifies an Express application"
    },
    {
      "name": "cors-methods-restricted",
      "rule": "Agent specifies allowed HTTP methods rather than accepting all methods by default",
      "relevant_when": "Agent creates or modifies an Express application"
    }
  ]
}

evals

skills

verifiers

cors-configured.json

helmet-enabled.json

input-limits-set.json

rate-limiting-added.json

secure-error-handler.json

trust-proxy-configured.json

tile.json

tessl-labs/express-security-basics

cors-configured.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}verifiers/

cors-configured.jsonverifiers/