security: CORS + headers de seguridad para 3d.consultoria-as.com

- CORSMiddleware con dominio de produccion y localhost
- SecurityHeadersMiddleware: X-Frame-Options, CSP, nosniff, referrer-policy
- Titulo de app actualizado a PrintForge v2.2.0

app/main.py

@@ -1,6 +1,8 @@
 from fastapi import FastAPI
 from fastapi.staticfiles import StaticFiles
 from fastapi.responses import FileResponse
+from fastapi.middleware.cors import CORSMiddleware
+from starlette.middleware.base import BaseHTTPMiddleware
 from app.database import engine, Base
 from app.routers import models
 from app.migrate import run_migrations
@@ -10,7 +12,39 @@ import os
 Base.metadata.create_all(bind=engine)
 run_migrations()
 
-app = FastAPI(title="STL Repository", version="2.1.0")
+app = FastAPI(title="PrintForge", version="2.2.0")
+
+# CORS — allow production domain and local development
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=[
+        "https://3d.consultoria-as.com",
+        "http://localhost:8000",
+        "http://127.0.0.1:8000",
+    ],
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+# Security headers middleware
+class SecurityHeadersMiddleware(BaseHTTPMiddleware):
+    async def dispatch(self, request, call_next):
+        response = await call_next(request)
+        response.headers["X-Frame-Options"] = "SAMEORIGIN"
+        response.headers["X-Content-Type-Options"] = "nosniff"
+        response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+        response.headers["Content-Security-Policy"] = (
+            "default-src 'self'; "
+            "script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; "
+            "style-src 'self' 'unsafe-inline'; "
+            "img-src 'self' data: blob:; "
+            "font-src 'self'; "
+            "connect-src 'self';"
+        )
+        return response
+
+app.add_middleware(SecurityHeadersMiddleware)
 
 app.include_router(models.router)