fix: Change CORS default to deny-all when unconfigured

gandalf_automationrequested to merge
improve-cors-defaults into develop

Summary

  • Change CORS default from allow-all (origin: true) to deny-all (origin: false) when DENSER_SERVER_API_CORS_ALLOW_ORIGIN is not set
  • Add warning log to help operators identify missing configuration

Rationale

Follows fail-closed principle - misconfigured deployments will block cross-origin requests rather than silently allowing them from any origin.

Test plan

  • Verify existing deployments with DENSER_SERVER_API_CORS_ALLOW_ORIGIN set continue to work
  • Verify new deployments without the env var block cross-origin requests
  • Verify warning appears in logs when env var is not set

Merge request reports