Harden CORS configuration and add integration tests

[temma02]

Description

getAllowedOrigins in cors.ts reads from an env var but falls back to a wildcard in development. This wildcard can leak into staging if the env var is not set. The allowed-origins list should be explicit and validated at startup.

Requirements and context

• Must be secure, tested, and documented where applicable
• Should stay reviewable and fit the current monorepo structure
• Relevant files: apps/backend/src/lib/api/cors.ts, apps/backend/src/lib/api/cors.test.ts, apps/frontend/src/lib/api/cors.ts

Suggested execution

• Create branch: issue-018-harden-cors-configuration
• Keep changes scoped to the issue and reference the task IDs in the PR

Implement changes

• Throw at startup if ALLOWED_ORIGINS is unset in non-development environments
• Validate each origin is a well-formed URL (no trailing slashes, no wildcards in production)
• Add Vary: Origin header to all CORS responses

Test and commit

• Extend cors.test.ts with: missing env var in production, malformed origin, preflight for disallowed origin
• Run vitest run apps/backend/src/lib/api/cors.test.ts
• Edge case: localhost origins must only be allowed in development

Example commit message

fix(cors): enforce explicit allowed-origins in non-development environments

Guidelines

• Prefer small, reviewable PRs
• Keep naming and data contracts consistent with the spec docs

[OkeyAmy]

@OkeyAmy has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

Hello Chief, I would like to work on this issue. I have 3 years of experience as an open source contributor

ℹ️ Repo Maintainers: To accept this application, review their application or assign @OkeyAmy to this issue.

[LaahAbba]

@LaahAbba has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

Hi my name is Abba and I'm a full stack develop I'll like to work on this issue because It picks my interest and Ive got experience with similar projects I'll have it solved in 24 hours or less

ℹ️ Repo Maintainers: To accept this application, review their application or assign @LaahAbba to this issue.

[dot-enny]

@dot-enny has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

Hi, i think i can handle this.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @dot-enny to this issue.

[drips-wave]

Congratulations, @LaahAbba! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on April 29, 2026.

🧑‍💻 @LaahAbba: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊