# Middleware

## Security Headers

Adds security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy) to all responses.

## CORS

Configured via `ALLOWED_ORIGINS` environment variable. Development mode allows all origins.