# Fix: POST response carries Access-Control-Allow-Origin

> Web-audit fix skill for the `mcp-cors-actual` check (MCP & API, SHOULD).

## Goal

Echo Access-Control-Allow-Origin on the actual MCP POST response.

## Fix

Echo `Access-Control-Allow-Origin` on the actual `POST` response, not only on the preflight.
A browser blocks the response body when the header is absent even if the preflight passed.
Omit it deliberately only if browser-origin agents are not a supported client.

## Resources

- [MDN CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS)

## Copy-paste prompt

Paste this into your coding agent, replacing the Issue line with the Result line from [your audit](https://anc.dev/web-audit):

```text
Goal: Echo Access-Control-Allow-Origin on the actual MCP POST response
Issue: <the audit's finding for this check>
Fix: Echo `Access-Control-Allow-Origin` on the actual `POST` response, not only on the preflight. A browser blocks the response body when the header is absent even if the preflight passed. Omit it deliberately only if browser-origin agents are not a supported client.
Skill: https://anc.dev/web-audit/skill/mcp-cors-actual
Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS
```

## Verify

Re-run the audit at [https://anc.dev/web-audit](https://anc.dev/web-audit) or call the `audit_website` MCP tool; the `mcp-cors-actual` check should report `pass`.
