Referencing to: https://github.com/strapi/strapi/security/advisories/GHSA-g637-9xhc-39qf

Currently the initial configuration for strapi is not secure (using wildcard with allow-credential). After discussed with strapi security team, we agreed that this is operator responsibility. However, the current state, the strapi still allows insecure configuration to be deployed without any warning. The security could be improved by blocking the deployment until the operator securely configure the CORS setting.

Note that it's currently insecure by default so adding a block will impact compatibility.