Enhance security and validation across multiple routes:

- Escape XML and HTML special characters to prevent injection attacks.
- Implement rate limiting for various endpoints to mitigate abuse.
- Add validation for email formats, password lengths, and field limits.
- Ensure proper access control for recordings and room management.

server/index.js

@@ -25,7 +25,11 @@ const trustProxy = /^\d+$/.test(rawTrustProxy) ? parseInt(rawTrustProxy, 10) : r
 app.set('trust proxy', trustProxy);
 
 // Middleware
-app.use(cors());
+// M10: restrict CORS in production; allow all in development
+const corsOptions = process.env.APP_URL
+  ? { origin: process.env.APP_URL, credentials: true }
+  : {};
+app.use(cors(corsOptions));
 app.use(express.json());
 
 // Initialize database & start server