cors-configuration-validator

# CORS Configuration Validator SKILL

## Activation Patterns

This SKILL automatically activates when:
- `new Response()` objects are created
- CORS-related headers are set or modified
- API endpoints that serve cross-origin requests
- OPTIONS method handling is detected
- Cross-origin request patterns are identified

## Expertise Provided

### Workers-Specific CORS Validation
- **Header Validation**: Ensures all required CORS headers are present
- **OPTIONS Handling**: Validates preflight request handling
- **Origin Validation**: Checks for proper origin validation logic
- **Method Validation**: Ensures correct allowed methods
- **Header Validation**: Validates allowed headers configuration
- **Security**: Prevents overly permissive CORS configurations

### Specific Checks Performed

#### ❌ CORS Anti-Patterns
```typescript
// These patterns trigger immediate alerts:
// Missing CORS headers
export default {
  async fetch(request: Request, env: Env) {
    return new Response(JSON.stringify(data));
    // Browsers will block cross-origin requests!
  }
}

// Overly permissive for authenticated APIs
const corsHeaders = {
  'Access-Control-Allow-Origin': '*',  // ANY origin can call!
  'Access-Control-Allow-Credentials': 'true'  // With credentials!
};
```

#### ✅ CORS Best Practices
```typescript
// These patterns are validated as correct:
// Proper CORS with origin validation
function getCorsHeaders(origin: string) {
  const allowedOrigins = ['https://app.example.com', 'https://example.com'];
  const allowOrigin = allowedOrigins.includes(origin) ? origin : allowedOrigins[0];
  
  return {
    'Access-Control-Allow-Origin': allowOrigin,
    'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
    'Access-Control-Allow-Headers': 'Content-Type, Authorization',
    'Access-Control-Max-Age': '86400',
  };
}

export default {
  async fetch(request: Request, env: Env) {
    const origin = request.headers.get('Origin') || '';
    
    if (request.method === 'OPTI