From 403f522a0b101340908b589c0749373d8514afab Mon Sep 17 00:00:00 2001
From: Patrick Britton <admin@pbritton.dev>
Date: Tue, 3 Feb 2026 18:09:50 -0600
Subject: [PATCH] fix(cors): allow X-Signature headers for valid web requests

---
 go-backend/cmd/api/main.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go-backend/cmd/api/main.go b/go-backend/cmd/api/main.go
index 942bcfe..60ede5a 100644
--- a/go-backend/cmd/api/main.go
+++ b/go-backend/cmd/api/main.go
@@ -83,7 +83,7 @@ func main() {
 			return ok
 		},
 		AllowMethods:     []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
-		AllowHeaders:     []string{"Origin", "Content-Type", "Accept", "Authorization", "X-Request-ID"},
+		AllowHeaders:     []string{"Origin", "Content-Type", "Accept", "Authorization", "X-Request-ID", "X-Timestamp", "X-Signature", "X-Algorithm"},
 		ExposeHeaders:    []string{"Content-Length"},
 		AllowCredentials: true,
 		MaxAge:           12 * time.Hour,