Hasura GraphQL: CORS configuration, admin secret misuse, and JWT role claims for browsers

WebSocket connections need compatible CORS on the HTTP upgrade path and cookie policies if using credentialed auth.

Throttle subscription fan-out to protect origin servers behind Hasura.

Webhook handlers invoked by Hasura are server-to-server—CORS does not apply, but validate signatures rigorously.

Mirror idempotency keys in event payloads to survive retries without duplicate side effects.