Tech Story: Add Helmet and restrict CORS to known origin

[GitAddRemote]

Tech Story

As a platform engineer, I want the API to send standard security response headers and only accept requests from known origins so that common browser-based attacks (clickjacking, MIME sniffing, protocol downgrade) are mitigated by default.

Context

app.enableCors() with no options defaults to origin: '*', allowing any origin to make cross-origin requests. No security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, etc.) are set anywhere. Both are table-stakes for any public-facing API.

Acceptance Criteria

• helmet() applied globally in main.ts before route handlers
• CORS restricted to ALLOWED_ORIGIN env var (required — app fails to start if missing)
• CORS configured with credentials: true to support httpOnly cookie auth (see Tech Story: Switch auth tokens to httpOnly cookies #93)
• Strict-Transport-Security header present in production responses
• X-Frame-Options: DENY present in all responses
• X-Content-Type-Options: nosniff present in all responses
• ALLOWED_ORIGIN documented in .env.example

Technical Elaboration

• Install helmet; call app.use(helmet()) in main.ts
• Replace app.enableCors() with:

  app.enableCors({
    origin: configService.get('ALLOWED_ORIGIN'),
    credentials: true,
    methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
  });

• Helmet defaults cover most headers; no custom CSP needed at this stage
• CORS origin must be a string/array, not *, when credentials: true (browsers reject credentialed requests to wildcard origins)

Notes

• Depends on or should land alongside Tech Story: Switch auth tokens to httpOnly cookies #93 (cookie auth) since credentials: true is required for cookies to be sent cross-origin
• For local dev, ALLOWED_ORIGIN=http://localhost:5173 in .env