Fix: CORS preflight (OPTIONS) succeeds with Access-Control-Allow-* headers

Web-audit fix skill for the mcp-cors-preflight check (MCP & API, SHOULD).

Goal

Answer OPTIONS preflights on the MCP endpoint with Access-Control-Allow-* headers.

Fix

Answer the OPTIONS preflight on your MCP endpoint with 204 (or 200) and the Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers response headers, so a browser-origin agent can call the endpoint. If your MCP surface is deliberately server-to-agent only (no browser clients), this SHOULD is a considered choice, not a defect.

Resources

Copy-paste prompt

Paste this into your coding agent, replacing the Issue line with the Result line from your audit:

Verify

Re-run the audit at https://anc.dev/web-audit or call the audit_website MCP tool; the mcp-cors-preflight check should report pass.