Fix: CORS preflight (OPTIONS) succeeds with Access-Control-Allow-* headers
Web-audit fix skill for the
mcp-cors-preflightcheck (MCP & API, SHOULD).
Goal
Answer OPTIONS preflights on the MCP endpoint with Access-Control-Allow-* headers.
Fix
Answer the OPTIONS preflight on your MCP endpoint with 204 (or 200) and the Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers response headers, so a browser-origin agent can call the endpoint. If your MCP surface is deliberately server-to-agent only (no browser clients), this SHOULD is a considered choice, not a defect.
Resources
Copy-paste prompt
Paste this into your coding agent, replacing the Issue line with the Result line from your audit:
Verify
Re-run the audit at https://anc.dev/web-audit or call the audit_website MCP tool; the mcp-cors-preflight check should report pass.