CORS is configured via env vars (see Configuration):
CORS_{INDEX}_ORIGIN
Behavior:
- All localhost/127.0.0.1 origins are allowed (any port)
- Only configured origins are allowed otherwise
The API sets basic security headers on all responses:
X-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 1; mode=blockReferrer-Policy: strict-origin-when-cross-originContent-Security-Policy: default-src 'self'
- Request-level tracking is in-memory only
- Old tracking data is pruned (see Rate limiting & anti-abuse)