fix: Change CORS default to deny-all when unconfigured

Change default behavior when DENSER_SERVER_API_CORS_ALLOW_ORIGIN is
not set from allow-all (origin: true) to deny-all (origin: false).

This follows the fail-closed security principle - misconfigured
deployments will block cross-origin requests rather than allowing them.
A warning is logged to help operators identify the missing configuration.