/// CORS headers for API and SignalR (Flutter web sends X-Requested-With).
Map<String, String> apiCorsHeaders({String methods = 'GET, PUT, POST, OPTIONS'}) {
  return <String, String>{
    'Access-Control-Allow-Origin': '*',
    'Access-Control-Allow-Methods': methods,
    'Access-Control-Allow-Headers':
        'Authorization, Content-Type, X-Requested-With',
  };
}