Fix: POST response carries Access-Control-Allow-Origin

Web-audit fix skill for the mcp-cors-actual check (MCP & API, SHOULD).

Goal

Echo Access-Control-Allow-Origin on the actual MCP POST response.

Fix

Echo Access-Control-Allow-Origin on the actual POST response, not only on the preflight. A browser blocks the response body when the header is absent even if the preflight passed. Omit it deliberately only if browser-origin agents are not a supported client.

Resources

Copy-paste prompt

Paste this into your coding agent, replacing the Issue line with the Result line from your audit:

Verify

Re-run the audit at https://anc.dev/web-audit or call the audit_website MCP tool; the mcp-cors-actual check should report pass.