{
  "instruction": "Configure CORS with explicit allowed origins, not wildcard",
  "relevant_when": "Agent creates or modifies a FastAPI application, adds routes to a FastAPI app, or sets up a FastAPI project",
  "context": "Every FastAPI app that will be accessed from a browser needs CORSMiddleware configured with explicit origins. Using allow_origins=['*'] allows any website to make requests. Always configure explicit allowed origins from environment variables.",
  "sources": [
    {
      "type": "file",
      "filename": "skills/fastapi-security-basics/SKILL.md",
      "tile": "tessl-labs/fastapi-security-basics@0.2.0"
    }
  ],
  "checklist": [
    {
      "name": "cors-not-wildcard",
      "rule": "Agent does not use allow_origins=['*'] or allow_origins='*' in the CORSMiddleware configuration",
      "relevant_when": "Agent creates or modifies a FastAPI application"
    },
    {
      "name": "cors-explicit-origins",
      "rule": "Agent configures CORSMiddleware with specific allowed origins from environment variables (e.g., os.getenv('ALLOWED_ORIGINS'))",
      "relevant_when": "Agent creates or modifies a FastAPI application"
    },
    {
      "name": "cors-methods-specified",
      "rule": "Agent specifies allow_methods explicitly in CORSMiddleware rather than accepting defaults",
      "relevant_when": "Agent creates or modifies a FastAPI application"
    },
    {
      "name": "cors-headers-specified",
      "rule": "Agent specifies allow_headers in CORSMiddleware (at minimum Content-Type and Authorization)",
      "relevant_when": "Agent creates or modifies a FastAPI application"
    }
  ]
}