app/__init__.py

from flask import Flask
from flask_cors import CORS

def create_app():
    app = Flask(__name__, 
                static_folder='static',
                template_folder='templates')
    
    # Configure CORS
    CORS(app, resources={
        r"/*": {
            "origins": [
                r"https://.*\.hf\.space",        # any HF Space subdomain
                "https://<your-username>.github.io",
                "https://www.<your-domain>.com",
                "http://localhost:5000",
                "http://127.0.0.1:5000",
            ],
            "methods": ["GET", "POST", "OPTIONS"],
            "allow_headers": ["Content-Type"]
        }
    })
    
    # Configure security headers (CORS is already handled by flask-cors above)
    @app.after_request
    def add_security_headers(response):
        # Add security headers but don't override CORS (flask-cors handles it)
        response.headers['X-Content-Type-Options'] = 'nosniff'
        # response.headers['X-Frame-Options'] = 'SAMEORIGIN'
        response.headers['X-XSS-Protection'] = '1; mode=block'
        return response
    
    # Register blueprints
    from app.routes import main
    app.register_blueprint(main)
    
    return app