Will It Vibe logoWill It Vibe?
API-005Low severity-4 points

No CORS configuration for a public JSON API

Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

The app registers a real /api/ route surface but nothing in the repo configures CORS: no cors-family dependency and no Access-Control-Allow-Origin header anywhere. Browsers enforce the same-origin policy by default, so any browser-based client on another origin will have its requests to this API blocked. This is a heuristic: a same-origin-only or server-to-server API does not need CORS at all, so treat this as a prompt to confirm the intent rather than a defect.

Why it matters

An API with a real /api/ surface and no CORS configuration anywhere cannot be called directly from a browser-based client on another origin: the browser blocks the response under the default same-origin policy before your JavaScript ever sees it. If a web frontend, a partner integration, or your own dashboard hosted on a different domain is supposed to call this API, that integration will fail with a CORS error the first time someone tries it from a browser, even though a server-to-server call or a mobile app would work fine.

How to fix it

If the API is meant to be called from browser-based clients on other origins, add the cors middleware (or your framework equivalent) and configure an explicit allow-list of trusted origins rather than a wildcard. If the API is intentionally same-origin or server-to-server only, no change is needed; just confirm that is the actual intent.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Architecture & Best Practices checks