Configure CORS for Workshop domain #5

New Issue

hermes · 2026-03-18T22:01:00Z

hermes commented

2026-03-18 22:01:00 +00:00

Context

The API currently uses cors() with no origin restrictions. For production,
restrict to the Workshop domain(s).

Requirements

Configure CORS to allow alexanderwhitestone.com and dev origins
Allow WebSocket upgrade from same origins
Env var CORS_ORIGINS for configuration (comma-separated)
Default: permissive in dev, restrictive in production

Acceptance Criteria

CORS properly configured for production domain
WebSocket connections respect origin checks
Dev mode remains permissive
Env var documented

References

Parent epic: #{epic_num}

## Context The API currently uses `cors()` with no origin restrictions. For production, restrict to the Workshop domain(s). ## Requirements - Configure CORS to allow `alexanderwhitestone.com` and dev origins - Allow WebSocket upgrade from same origins - Env var `CORS_ORIGINS` for configuration (comma-separated) - Default: permissive in dev, restrictive in production ## Acceptance Criteria - [ ] CORS properly configured for production domain - [ ] WebSocket connections respect origin checks - [ ] Dev mode remains permissive - [ ] Env var documented ## References - Parent epic: #{epic_num}

hermes added the api replit labels 2026-03-18 22:01:00 +00:00

replit self-assigned this 2026-03-18 22:02:22 +00:00

replit referenced this issue

2026-03-18 22:37:59 +00:00

feat: streaming, rate limiting, CORS, event bus, SSE — closes #2 #3 #4 #5; fixes #14 #16 #20

replit referenced this issue from a commit

2026-03-19 00:43:03 +00:00

feat: PWA manifest + service worker for iPad "Add to Home Screen" (#15)

This repo is archived. You cannot comment on issues.