Stabilize API routing, CORS, and settings save behavior

backend/app/main.py

@@ -18,16 +18,7 @@ from app.services.typesense_index import ensure_typesense_collection
 settings = get_settings()
 UPLOAD_ENDPOINT_PATH = "/api/v1/documents/upload"
 UPLOAD_ENDPOINT_METHOD = "POST"
-DEVELOPMENT_CORS_PRIVATE_ORIGIN_REGEX = (
-    r"^https?://("
-    r"localhost"
-    r"|127(?:\.\d{1,3}){3}"
-    r"|0\.0\.0\.0"
-    r"|10(?:\.\d{1,3}){3}"
-    r"|192\.168(?:\.\d{1,3}){2}"
-    r"|172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2}"
-    r")(?::\d+)?$"
-)
+CORS_HTTP_ORIGIN_REGEX = r"^https?://[^/]+$"
 
 
 def _is_upload_size_guard_target(request: Request) -> bool:
@@ -44,14 +35,10 @@ def create_app() -> FastAPI:
     """Builds and configures the FastAPI application instance."""
 
     app = FastAPI(title="DCM DMS API", version="0.1.0")
-    app_env = settings.app_env.strip().lower()
-    allow_origin_regex = (
-        DEVELOPMENT_CORS_PRIVATE_ORIGIN_REGEX if app_env in {"development", "dev"} else None
-    )
     app.add_middleware(
         CORSMiddleware,
         allow_origins=settings.cors_origins,
-        allow_origin_regex=allow_origin_regex,
+        allow_origin_regex=CORS_HTTP_ORIGIN_REGEX,
         allow_credentials=True,
         allow_methods=["*"],
         allow_headers=["*"],