Cors

[Qoder-Undefined]

main.ts: CORS is not configured — browser clients either get blocked or all origins are allowed by default
Summary
src/main.ts does not call app.enableCors(). Without explicit CORS configuration, browser-based clients cannot make cross-origin requests to the API. If a default permissive policy is applied by the runtime, it would allow any origin to call the API — equally problematic in production.

Why This Matters
Frontend applications hosted on a different origin cannot communicate with the API
Missing CORS config is a security misconfiguration for a financial API
What Needs to Be Done
Add app.enableCors({ origin: configService.get('app.allowedOrigins'), credentials: true }) in main.ts
Add ALLOWED_ORIGINS to env.validation.ts and configuration.ts
Default to a restrictive whitelist; never use origin: '*' in production
Key Files
src/main.ts
src/config/env.validation.ts
src/config/configuration.ts
.env.example
Acceptance Criteria
CORS is explicitly configured with an allowlist of origins from environment config
credentials: true is set (required for cookie-based auth flows)
ALLOWED_ORIGINS env var is documented in .env.example
closes #555

[drips-wave]

@Qoder-Undefined Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[portableDD]

@Qoder-Undefined please resolve conflicts