Here's the tl;dr
app.use(cors());
If you know how CORS works, you already know that even if the resource is on localhost, it's open to any web page, including not on localhost. You won't find anything enlightening here.
If you don't know how CORS works but you're using the Express middleware for it anyway, read the documentation: https://expressjs.com/en/resources/middleware/cors.html#conf...