fix: restrict CORS to same-origin (closes #23)

In dev mode, keep the wildcard origin for local testing convenience.
In production, skip CORS headers entirely since the web UI is
server-rendered and cross-origin requests are not expected.

internal/middleware/middleware.go

@@ -108,18 +108,22 @@ func (s *Middleware) Logging() func(http.Handler) http.Handler {
 }
 
 func (s *Middleware) CORS() func(http.Handler) http.Handler {
-	return cors.Handler(cors.Options{
-		// CHANGEME! these are defaults, change them to suit your needs or
-		// read from environment/viper.
-		// AllowedOrigins: []string{"https://foo.com"}, // Use this to allow specific origin hosts
-		AllowedOrigins: []string{"*"},
-		// AllowOriginFunc:  func(r *http.Request, origin string) bool { return true },
-		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
-		ExposedHeaders:   []string{"Link"},
-		AllowCredentials: false,
-		MaxAge:           300, // Maximum value not ignored by any of major browsers
-	})
+	if s.params.Config.IsDev() {
+		// In development, allow any origin for local testing.
+		return cors.Handler(cors.Options{
+			AllowedOrigins:   []string{"*"},
+			AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+			AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
+			ExposedHeaders:   []string{"Link"},
+			AllowCredentials: false,
+			MaxAge:           300,
+		})
+	}
+	// In production, the web UI is server-rendered so cross-origin
+	// requests are not expected. Return a no-op middleware.
+	return func(next http.Handler) http.Handler {
+		return next
+	}
 }
 
 // RequireAuth returns middleware that checks for a valid session.