Security and performance best practices

**Description**

CORS, ETag/HTTP caching, query limits, rate limiting.

**Acceptance Criteria**

- [x] CORS configured per env
- [x] ETag and cache headers where safe
- [x] Query and result limits enforced
