# Fix: CORS preflight (OPTIONS) succeeds with Access-Control-Allow-* headers

> Web-audit fix skill for the `mcp-cors-preflight` check (MCP & API, SHOULD).

## Goal

Answer OPTIONS preflights on the MCP endpoint with Access-Control-Allow-* headers.

## Fix

Answer the `OPTIONS` preflight on your MCP endpoint with `204` (or `200`) and the
`Access-Control-Allow-Origin`, `Access-Control-Allow-Methods`, and
`Access-Control-Allow-Headers` response headers, so a browser-origin agent can call the
endpoint. If your MCP surface is deliberately server-to-agent only (no browser clients),
this SHOULD is a considered choice, not a defect.

## Resources

- [MDN CORS preflight](https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request)

## Copy-paste prompt

Paste this into your coding agent, replacing the Issue line with the Result line from [your audit](https://anc.dev/web-audit):

```text
Goal: Answer OPTIONS preflights on the MCP endpoint with Access-Control-Allow-* headers
Issue: <the audit's finding for this check>
Fix: Answer the `OPTIONS` preflight on your MCP endpoint with `204` (or `200`) and the `Access-Control-Allow-Origin`, `Access-Control-Allow-Methods`, and `Access-Control-Allow-Headers` response headers, so a browser-origin agent can call the endpoint. If your MCP surface is deliberately server-to-agent only (no browser clients), this SHOULD is a considered choice, not a defect.
Skill: https://anc.dev/web-audit/skill/mcp-cors-preflight
Docs: https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
```

## Verify

Re-run the audit at [https://anc.dev/web-audit](https://anc.dev/web-audit) or call the `audit_website` MCP tool; the `mcp-cors-preflight` check should report `pass`.
