Secure CORS configuration by replacing wildcard origin with environment-specific allowed origins

[chigwell]

User Story
As a security-conscious developer,
I want to replace the wildcard CORS origin in backend/app/main.py with environment-specific allowed origins
so that the API is protected against cross-site request forgery attacks in production environments.

---

Background
The current CORS configuration in backend/app/main.py uses a permissive wildcard (origins = ["*"]), which:

• Creates security risks by allowing unrestricted cross-origin requests in production
• Violates security best practices for APIs exposed to public traffic
• Exposes the backend to potential CSRF attacks when combined with cookie/auth token usage

The codebase uses Docker Compose for environment management, making it feasible to implement environment-specific allowlists (e.g., only permitting http://localhost:3000 in development while restricting to production domains in live environments).

---

Acceptance Criteria

• Modify backend/app/main.py to:
  • Load allowed origins from environment variable CORS_ALLOWED_ORIGINS (comma-separated values)
  • Default to empty list if environment variable not set
  • Replace hardcoded origins = ["*"] with origins derived from environment variable
• Update docker-compose.yml to:
  • Set CORS_ALLOWED_ORIGINS=http://localhost:3000 for backend service in development
  • Include placeholder comments for staging/production configurations
• Validation steps:
  • In development environment, frontend at http://localhost:3000 can successfully fetch from backend API
  • Requests from non-allowlisted domains (test via curl -H "Origin: http://malicious.com" -I http://localhost:80) return 403 Forbidden
  • Environment variable changes persist after container rebuilds