• Use NelmioCorsBundle for handling CORS.
• Allowed origins: * in dev, restricted to specific domains in prod (e.g., frontend URLs).
• Methods: GET, POST, OPTIONS.
• Headers: X-Mock-User-Id, Idempotency-Key, Content-Type.

• CSP: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'.
• HSTS: max-age=31536000; includeSubDomains.
• X-Content-Type-Options: nosniff.
• X-Frame-Options: DENY.
• X-XSS-Protection: 1; mode=block.

Add these in nginx config or Symfony response headers.