- Explicitly check APP_ENV instead of relying on isProduction() helper
- Default to development mode (allow localhost origins) if APP_ENV is not set
- Ensures Swagger UI can be embedded from localhost:5173 in development
- Fixes issue where frame-ancestors was still 'self' even in development
- Update frame-ancestors CSP to include common localhost origins in development
- Allows embedding from localhost:5173 (Vite dev server) and localhost:3000
- Production remains restricted to same-origin only
- Fixes CSP violation when frontend (localhost:5173) embeds backend Swagger UI (localhost:8080)
- Enhanced security headers middleware with additional headers
- Added X-Permitted-Cross-Domain-Policies: none
- Added Cross-Origin-Embedder-Policy: require-corp
- Added Cross-Origin-Opener-Policy: same-origin
- Added Cross-Origin-Resource-Policy: same-origin
- Enhanced Permissions-Policy with additional restrictions
- Enhanced CSP with frame-ancestors directive
- HSTS now only set in production (not in development)
- Updated tests to verify all new headers
