security hints

Disable CORS for development