Fix: Restrict CORS to localhost origins for security

[echobt]

Summary

This change restricts CORS (Cross-Origin Resource Sharing) configuration to only allow requests from localhost origins, addressing a security vulnerability where any website could potentially make cross-origin requests to the vgrep API server.

Problem

The previous CORS configuration used permissive settings with allow_origin(Any), allow_methods(Any), and allow_headers(Any). This configuration allows any website to make cross-origin requests to the vgrep server API. While the server defaults to binding on 127.0.0.1, this still poses a security risk:

1. Malicious websites can make requests to localhost services while a user browses the web
2. Users can configure the server to bind to 0.0.0.0 (all interfaces), significantly expanding the attack surface
3. Defense-in-depth principles recommend restricting CORS even for local services

Solution

The CORS configuration now:

• Restricts allowed origins to localhost addresses only (both localhost and 127.0.0.1, with and without port)
• Limits allowed HTTP methods to GET, POST, and OPTIONS (only methods actually used by the API)
• Restricts allowed headers to CONTENT_TYPE and ACCEPT (only headers needed for API operation)

Testing

The fix has been verified to maintain API functionality while properly restricting cross-origin access. Requests from localhost origins continue to work normally.

Related Issue

Fixes PlatformNetwork/bounty-challenge#20