Previously the file server unconditionally returned
Access-Control-Allow-Origin: * together with
Access-Control-Allow-Credentials: true. While most browsers reject
that combination, several edge cases (HTTP/2 intermediaries, non-
browser clients, and reverse proxies that rewrite ACAO) still permit
cross-origin authenticated requests, allowing CSRF-style abuse of
/upload, /delete, etc.
This change introduces an ALLOWED_ORIGINS env var. The server now:
* Echoes the request Origin only when it appears in the allow list
* Sends Allow-Credentials: true only alongside an explicit origin
* Adds Vary: Origin to prevent cache poisoning
* Rejects cross-origin requests with a non-allow-listed Origin
* Defaults to no allow-listed origins (same-origin only)
