Audit the CORS and CSRF configuration of this Next.js app with Supabase and a mobile iOS client. ## CORS AUDIT - Check next.config.js and middleware.ts for Access-Control-Allow-Origin headers — flag anything using wildcard `*` - Verify allowed origins are explicitly whitelisted (production domain, staging domain only) - Check that Access-Control-Allow-Methods only includes methods actually used - Ensure Access-Control-Allow-Headers does not expose unnecessary headers - Confirm preflight OPTIONS requests are handled and not leaking server info - Flag any route that sets CORS headers inconsistently or redundantly - Note: mobile iOS clients calling the API directly do NOT need CORS — flag if CORS is enabled on mobile-only routes unnecessarily ## CSRF AUDIT - Next.js Server Actions have built-in CSRF protection — verify they are being used for state-mutating operations instead of plain API routes where possible - For any custom POST/PUT/DELETE API routes NOT using Server Actions, check that CSRF tokens or the Origin/Referer header is validated - Check that cookie-based session tokens use SameSite=Strict or SameSite=Lax — never None unless explicitly required - Flag any state-mutating route that relies solely on cookie auth without a secondary CSRF check - Verify that Supabase Auth cookies are configured with HttpOnly, Secure, and SameSite attributes - Check for any forms or fetch calls that POST to API routes from the browser without CSRF protection ## OUTPUT - List each finding with: file location, the issue, severity (CRITICAL/HIGH/MEDIUM/LOW), and the exact fix