PSA: CORS allow origin * considered harmful in development.

CORS allow origin * is a security hole, even in development.

Great Scott! Timing Attack Demo for the Everyday Webdev