Wildcard subdomains and CORS: when reflection is safe versus dangerous

Multi-tenant apps should map browser origins to tenant IDs using a server-side registry, not string contains checks alone.

Phishing sites on look-alike domains remain a risk—pair CORS with CSP and cookie policies.

Automate tests for apex, www, and app subdomains with both HTTP and HTTPS schemes where applicable.

Include port differences in local development to catch accidental mismatches early.