CORS Hardening — orchestkit.vercel.app
Restrict Access-Control-Allow-Origin from wildcard to same-origin.
Before (Vercel default)
Access-Control-Allow-Origin: *
Any website can fetch docs content via JavaScript cross-origin requests.
After
Access-Control-Allow-Origin: https://orchestkit.vercel.app
Only same-origin requests allowed. Cross-origin JavaScript requests blocked.
Changed file
docs/site/next.config.mjs — 1 line added to security headers array