CORS: allow_origins=['*'] with allow_credentials=True is invalid

[jtdub]

Problem

In main.py:18-24:

app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    ...
)

Per the CORS specification, browsers will reject responses that use Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true. This combination is explicitly forbidden.

Suggested Fix

Either:

• Remove allow_credentials=True if credentials aren't needed, or
• Replace allow_origins=["*"] with a list of specific allowed origins (configurable via environment variable).