Feat(Security):

a. Update CORS settings
 b. Update session cookie settings
 c. Remove comments that expose project architecture (and that Claude made most of it :P)

app.py

@@ -20,7 +20,7 @@ from config import app_config, Config
 from controllers.core import routes_core
 from controllers.legal import routes_legal
 from controllers.user import routes_user
-from extensions import db, csrf, cors, mail, oauth
+from extensions import db, csrf, mail, oauth
 from helpers.helper_app import Helper_App
 # external
 from flask import Flask, render_template, jsonify, request,  render_template_string, send_from_directory, redirect, url_for, session
@@ -73,12 +73,13 @@ def make_session_permanent():
     session.permanent = True
 
 csrf = CSRFProtect()
-"""
-cors = CORS()
-db = SQLAlchemy()
-mail = Mail()
-oauth = OAuth()
-"""
+cors = CORS(app, resources={
+    r"/static/*": {
+        "origins": [app.config["URL_HOST"]],
+        "methods": ["GET"],
+        "max_age": 3600
+    }
+})
 
 csrf.init_app(app)
 cors.init_app(app)
@@ -114,4 +115,14 @@ app.register_blueprint(routes_user)
 @app.template_filter('console_log')
 def console_log(value):
     Helper_App.console_log(value)
-    return value
+    return value
+
+@app.after_request
+def add_cache_headers(response):
+    if request.path.startswith('/static/'):
+        # Cache static assets
+        response.headers['Cache-Control'] = 'public, max-age=31536000'
+    else:
+        # No caching for dynamic content
+        response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate, max-age=0'
+    return response