feat: enhance CORS configuration and implement throttling for API endpoints; add admin role checks in controllers

backend/src/main.ts

@@ -7,6 +7,15 @@ import helmet from 'helmet';
 async function bootstrap() {
   const app = await NestFactory.create(AppModule);
 
+  // CORS — tillåt endast appens egen origin (sätts via ALLOWED_ORIGIN i miljövariabler)
+  const allowedOrigin = process.env.ALLOWED_ORIGIN || 'https://recept.gynther.se';
+  app.enableCors({
+    origin: allowedOrigin,
+    methods: ['GET', 'POST', 'PATCH', 'PUT', 'DELETE', 'OPTIONS'],
+    allowedHeaders: ['Content-Type', 'Authorization'],
+    credentials: true,
+  });
+
   // Helmet som säkerhetsbackup (CSP hanteras av Next.js/Caddy)
   app.use(
     helmet({