Does enabling CORS make an API more secure, and how does CORS relate to CSRF?

No — CORS (Cross-Origin Resource Sharing) relaxes the browser's same-origin policy to let approved origins read cross-origin responses. It is a browser-enforced read policy, not server-side access control.

A permissive CORS policy (reflecting any Origin header + Access-Control-Allow-Credentials: true) can enable attacks: any site can make authenticated requests to your API and read the responses.

CORS also does not stop CSRF. Here's why: CSRF abuses the fact that the browser automatically sends cookies with every request, regardless of CORS. The forged request still reaches your server and executes the state-changing action. CORS only controls whether the attacker's JavaScript can read the response — the damage from a CSRF attack (e.g. a POST that transfers funds) is done before any response is read. CSRF needs its own defenses: SameSite cookies, anti-CSRF tokens, and validating the Origin/Referer header on state-changing requests.