diff --git a/CHANGELOG.md b/CHANGELOG.md
index 64ac6f1..810ce38 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,19 +2,23 @@ Always finding new things to implement / improve in this list!
 
 ### 0.0.1
 - [chore] update packages & cleanup & work on improving documentation
-- [in-progress] move error handling to @ss-labs/node/express/init or preRoute
-- [in-progress] clean up @es-labs/node/auth
+- [clean] move error handling to @ss-labs/node/express/init or preRoute
+- [clean] clean up @es-labs/node/auth
+
+### 0.0.2
+- [chore] update packages
+  - breaking change in @es-labs/node@0.0.37
 
 
 ### For next sprint / version
+- [feat] add commitizen, add semantic-release?
 - [next-in-pipeline] add more express-jsdoc-swagger to routes
 - [next-in-pipeline] fix broken tests and examples
-- [next-in-pipeline] re-implement MQ
+- [next-in-pipeline] re-implement MQ with redis pubsub?
 - [next-in-pipeline] to use Typescript and tsoa ? or use JSDoc?
 - [research] use ESM instead of CJS - https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c
 - [frontend] aria
 - [iaac-cicd] terraform, GKE, Kubernetes
-- [feat] add commitizen, add semantic-release?
 - [backend-testing] research websocket testing - https://stackoverflow.com/questions/55963562/test-websockets-with-jest
 
 ### For future product improvement
diff --git a/apps/.env.dev b/apps/.env.dev
index c08c9ab..7b20427 100644
--- a/apps/.env.dev
+++ b/apps/.env.dev
@@ -225,12 +225,13 @@ CORS_ORIGINS=
 # CORS_OPTIONS=
 #
 # set withCredentials === true at Frontend
-  # exposedHeaders: ['refresh-token'], // allow this to be sent back in response
-  # maxAge
-  # allowedHeaders
-  # credentials
-  # default cors settings
-  # credentials: true // Access-Control-Allow-Credentials value to true
+#   exposedHeaders: ['refresh-token'], // allow this to be sent back in response
+#   maxAge
+#   allowedHeaders
+#   credentials
+#   default cors settings
+#   credentials: true // Access-Control-Allow-Credentials value to true
+# SAMPLE: "allowedHeaders": ["content-type", "Authorization","access_token", "refresh_token"]
 CORS_OPTIONS='{
   "methods": "GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS",
   "preflightContinue": false,
@@ -238,8 +239,11 @@ CORS_OPTIONS='{
   "credentials": true,
   "origin": ["http://127.0.0.1:8080","https://127.0.0.1:8080"]
 }'
-
-#  "allowedHeaders": ["content-type", "Authorization","access_token", "refresh_token"]
+## set CORS_DEFAULTS if certain CORS headers are missing, to handle:
+## https://www.alibabacloud.com/help/en/fc/overview-36 (CORS request processing)
+CORS_DEFAULTS='{
+  "Access-Control-Allow-Origin": "forbidden"
+}'
 
 # 'http://127.0.0.1:8080', // used by proxy middleware
 PROXY_WWW_ORIGIN=
diff --git a/apps/.env.development b/apps/.env.development
index c08c9ab..7b20427 100644
--- a/apps/.env.development
+++ b/apps/.env.development
@@ -225,12 +225,13 @@ CORS_ORIGINS=
 # CORS_OPTIONS=
 #
 # set withCredentials === true at Frontend
-  # exposedHeaders: ['refresh-token'], // allow this to be sent back in response
-  # maxAge
-  # allowedHeaders
-  # credentials
-  # default cors settings
-  # credentials: true // Access-Control-Allow-Credentials value to true
+#   exposedHeaders: ['refresh-token'], // allow this to be sent back in response
+#   maxAge
+#   allowedHeaders
+#   credentials
+#   default cors settings
+#   credentials: true // Access-Control-Allow-Credentials value to true
+# SAMPLE: "allowedHeaders": ["content-type", "Authorization","access_token", "refresh_token"]
 CORS_OPTIONS='{
   "methods": "GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS",
   "preflightContinue": false,
@@ -238,8 +239,11 @@ CORS_OPTIONS='{
   "credentials": true,
   "origin": ["http://127.0.0.1:8080","https://127.0.0.1:8080"]
 }'
-
-#  "allowedHeaders": ["content-type", "Authorization","access_token", "refresh_token"]
+## set CORS_DEFAULTS if certain CORS headers are missing, to handle:
+## https://www.alibabacloud.com/help/en/fc/overview-36 (CORS request processing)
+CORS_DEFAULTS='{
+  "Access-Control-Allow-Origin": "forbidden"
+}'
 
 # 'http://127.0.0.1:8080', // used by proxy middleware
 PROXY_WWW_ORIGIN=
diff --git a/apps/.env.sample b/apps/.env.sample
index cd54f47..1da8993 100644
--- a/apps/.env.sample
+++ b/apps/.env.sample
@@ -219,12 +219,13 @@ CORS_ORIGINS=
 # CORS_OPTIONS=
 #
 # set withCredentials === true at Frontend
-  # exposedHeaders: ['refresh-token'], // allow this to be sent back in response
-  # maxAge
-  # allowedHeaders
-  # credentials
-  # default cors settings
-  # credentials: true // Access-Control-Allow-Credentials value to true
+#   exposedHeaders: ['refresh-token'], // allow this to be sent back in response
+#   maxAge
+#   allowedHeaders
+#   credentials
+#   default cors settings
+#   credentials: true // Access-Control-Allow-Credentials value to true
+# SAMPLE: "allowedHeaders": ["content-type", "Authorization","access_token", "refresh_token"]
 CORS_OPTIONS='{
   "methods": "GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS",
   "preflightContinue": false,
@@ -232,8 +233,11 @@ CORS_OPTIONS='{
   "credentials": true,
   "origin": ["http://127.0.0.1:8080","https://127.0.0.1:8080"]
 }'
-
-#  "allowedHeaders": ["content-type", "Authorization","access_token", "refresh_token"]
+## set CORS_DEFAULTS if certain CORS headers are missing, to handle:
+## https://www.alibabacloud.com/help/en/fc/overview-36 (CORS request processing)
+CORS_DEFAULTS='{
+  "Access-Control-Allow-Origin": "forbidden"
+}'
 
 # 'http://127.0.0.1:8080', // used by proxy middleware
 PROXY_WWW_ORIGIN=
diff --git a/apps/README.md b/apps/README.md
index 89d9a86..2640817 100644
--- a/apps/README.md
+++ b/apps/README.md
@@ -75,6 +75,8 @@ Refer to following files for SPA sample (uses fido2-lib in backend)
 +- .dockerignore
 +- .editorconfig
 +- .env.sample
++- .env.dev : on dev server
++- .env.development : on local dev machine
 +- .eslintrc.js
 +- .gitignore
 +- app.js : the express app boilerplate
diff --git a/package.json b/package.json
index ce8c9b9..124ee0c 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "express-template",
   "description": "express template",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "private": true,
   "author": "aaronjxz@gmail.com",
   "license": "MIT",
@@ -47,7 +47,7 @@
   },
   "dependencies": {
     "@es-labs/esm": "^0.0.21",
-    "@es-labs/node": "^0.0.36",
+    "@es-labs/node": "^0.0.37",
     "esm": "^3.2.25",
     "express": "^4.18.3",
     "express-jsdoc-swagger": "^1.8.0",