Merge remote-tracking branch 'origin/master'

svc/main.go

@@ -27,15 +27,33 @@ import (
 ===========================================================
 */
 func enableCORS(h http.Handler) http.Handler {
+
+	frontendURL := os.Getenv("APP_FRONTEND_URL")
+
+	// Default fallback (dev için)
+	if frontendURL == "" {
+		frontendURL = "http://localhost:9000"
+	}
+
+	log.Println("🌍 CORS Allowed Origin:", frontendURL)
+
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 
-		w.Header().Set("Access-Control-Allow-Origin", "http://localhost:9000")
-		w.Header().Set("Access-Control-Allow-Credentials", "true")
+		origin := r.Header.Get("Origin")
+
+		// Sadece izin verilen origin'e cevap ver
+		if origin == frontendURL {
+			w.Header().Set("Access-Control-Allow-Origin", origin)
+			w.Header().Set("Vary", "Origin")
+			w.Header().Set("Access-Control-Allow-Credentials", "true")
+		}
+
 		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
 
+		// Preflight
 		if r.Method == http.MethodOptions {
-			w.WriteHeader(http.StatusOK)
+			w.WriteHeader(http.StatusNoContent)
 			return
 		}