feat(security): configure cors

app/main.py

@@ -18,6 +18,9 @@ logger = get_logger("main")
 API_KEY = os.getenv("API_KEY")
 api_key_header = APIKeyHeader(name="X-API-Key", auto_error=True)
 
+# Add this near the top with other environment variables
+FRONTEND_URL = os.getenv("FRONTEND_URL", "http://localhost:3000")  # Add default for local development
+
 
 async def get_api_key(api_key_header: str = Security(api_key_header)):
     if not API_KEY:
@@ -38,8 +41,8 @@ app = FastAPI(
 
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
-    allow_credentials=False,
+    allow_origins=[FRONTEND_URL],  # Replace "*" with specific frontend URL
+    allow_credentials=True,  # Changed to True since we're restricting origins
     allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"],
     allow_headers=["*"],
     expose_headers=[
@@ -59,7 +62,7 @@ async def handle_redirects(request: Request, call_next):
     """Ensure CORS headers are in redirect responses and force https in the 'Location' header."""
     response = await call_next(request)
 
-    response.headers["Access-Control-Allow-Origin"] = "*"
+    response.headers["Access-Control-Allow-Origin"] = FRONTEND_URL 
     response.headers["Access-Control-Allow-Methods"] = (
         "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH"
     )