Default CORS allows any origin; tighten defaults or docs

[akassharjun]

Summary:
Gateway default CORS is *, risky in production.

Impact:
Security hardening required manually.

Proposed fix:

• Default to no origins in release builds and require explicit configuration, OR
• Keep * only for dev, OR
• At minimum, emphasize production guidance in docs and examples.

Acceptance:

• Safer defaults or clear documentation with production examples.

[isala404]

@claude can you verify this? as I remember forge.toml has way to customize this, double check the docs to make sure it's documented correctly if not open a PR for it.

[isala404]

Verified the current implementation:

Configuration:

• CORS is configurable via [gateway] cors_origins in forge.toml
• Template shows: # cors_origins = ["http://localhost:5173"]
• Default remains * (any origin)

Documentation:

• deployment.mdx production checklist (line 439) mentions "Configure proper CORS origins"
• No dedicated CORS documentation section

Current state:
Partially addressed with configuration support and checklist mention, but could be improved with:

1. Dedicated CORS section in deployment docs showing examples
2. Consider defaulting to restrictive CORS with explicit opt-in for *

Leaving open since documentation could be more comprehensive. Can add a CORS guide section if desired.