## What to build Add settings-driven middleware for common production web/API hardening while keeping defaults safe for local development. ## Acceptance criteria - [ ] CORS origins are configurable and documented. - [ ] Trusted host validation is configurable and documented. - [ ] Request correlation ID is added or propagated and included in logs/traces. - [ ] Security headers are added in app middleware or explicitly delegated to the reverse proxy in docs. - [ ] Tests cover the middleware behavior for representative requests. ## Blocked by None - can start immediately.
What to build
Add settings-driven middleware for common production web/API hardening while keeping defaults safe for local development.
Acceptance criteria
Blocked by
None - can start immediately.