At the very least, CORS should be disabled for localhost. I build interfaces using create-react-app, which launches a dev server on localhost:3000 (useful for things like live reload), making requests on a go api on localhost:5000. On production, both are on :80 and the backend serves frontend production files. This is annoying to alter the application code just to handle dev environment (although, this already happen in many other places, so it's not critical).
No comments yet.