fix(nqc): document wildcard CORS in proxy and add ALLOWED_ORIGINS env

hyperpolymath · claude · hyperpolymath · commit 105c40af20e2 · 2026-03-28T08:03:25.000Z
NQC proxy is a localhost dev tool — wildcard CORS is intentional but
now documented with ALLOWED_ORIGINS env var for non-dev deployments.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/nqc/web/proxy/server.js b/nqc/web/proxy/server.js
@@ -32,9 +32,13 @@ const PORT_MAP = {
   kql: 8082,
 };
 
-// CORS headers added to every proxied response
+// CORS headers added to every proxied response.
+// Wildcard origin is intentional: this is a localhost-only dev proxy bridging
+// the browser to database engines on different ports.  For non-dev deployments,
+// set ALLOWED_ORIGINS to a comma-separated list of permitted origins.
+const ALLOWED_ORIGIN = Deno.env.get("ALLOWED_ORIGINS") || "*";
 const CORS_HEADERS = {
-  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Origin": ALLOWED_ORIGIN,
   "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
   "Access-Control-Allow-Headers": "Content-Type, Authorization",
   "Access-Control-Max-Age": "86400",
