Apply suggestions from code review

jongalloway · Copilot · web-flow · commit e79c40c4baae · 2025-06-20T20:51:54.000-07:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/src/NLWebNet/Middleware/NLWebMiddleware.cs b/src/NLWebNet/Middleware/NLWebMiddleware.cs
@@ -39,7 +39,7 @@ public async Task InvokeAsync(HttpContext context)
         });
 
         // Log incoming request with structured data
-        _logger.LogInformation("Processing {Method} {Path} from {RemoteIP} with correlation ID {CorrelationId}",
+        _logger.LogDebug("Processing {Method} {Path} from {RemoteIP} with correlation ID {CorrelationId}",
             context.Request.Method, context.Request.Path,
             context.Connection.RemoteIpAddress?.ToString() ?? "unknown", correlationId);
 
@@ -70,7 +70,17 @@ public async Task InvokeAsync(HttpContext context)
 
     private static void AddCorsHeaders(HttpContext context)
     {
-        context.Response.Headers.Append("Access-Control-Allow-Origin", "*");
+        var allowedOrigins = Environment.GetEnvironmentVariable("ALLOWED_ORIGINS")?.Split(',') ?? new[] { "*" };
+        var origin = context.Request.Headers["Origin"].FirstOrDefault();
+
+        if (origin != null && allowedOrigins.Contains(origin, StringComparer.OrdinalIgnoreCase))
+        {
+            context.Response.Headers.Append("Access-Control-Allow-Origin", origin);
+        }
+        else if (allowedOrigins.Contains("*"))
+        {
+            context.Response.Headers.Append("Access-Control-Allow-Origin", "*");
+        }
         context.Response.Headers.Append("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
         context.Response.Headers.Append("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Correlation-ID, X-Client-Id");
         context.Response.Headers.Append("Access-Control-Expose-Headers", "X-Correlation-ID, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset");
diff --git a/src/NLWebNet/Middleware/RateLimitingMiddleware.cs b/src/NLWebNet/Middleware/RateLimitingMiddleware.cs
@@ -47,9 +47,9 @@ public async Task InvokeAsync(HttpContext context)
 
         // Add rate limit headers
         var status = await _rateLimitingService.GetRateLimitStatusAsync(identifier);
-        context.Response.Headers.Append("X-RateLimit-Limit", _options.RequestsPerWindow.ToString());
-        context.Response.Headers.Append("X-RateLimit-Remaining", status.RequestsRemaining.ToString());
-        context.Response.Headers.Append("X-RateLimit-Reset", ((int)status.WindowResetTime.TotalSeconds).ToString());
+        context.Response.Headers["X-RateLimit-Limit"] = _options.RequestsPerWindow.ToString();
+        context.Response.Headers["X-RateLimit-Remaining"] = status.RequestsRemaining.ToString();
+        context.Response.Headers["X-RateLimit-Reset"] = ((int)status.WindowResetTime.TotalSeconds).ToString();
 
         await _next(context);
     }
