fix: BUG-009 setTimeout syntax, BUG-010 CORS helmet policy, BUG-011 content-type validation

public/app.js

@@ -67,7 +67,7 @@ function copyKey() {
   var key = document.getElementById('apiKeyDisplay').textContent;
   navigator.clipboard.writeText(key).then(function() {
     var btn = document.getElementById('apiKeyDisplay'); var origText = btn.textContent; btn.textContent = 'Copied!'; document.querySelector('.copy-hint').textContent = '✓ Copied!';
-    setTimeout(function() { btn.textContent = origText; document.querySelector('.copy-hint').textContent = 'Click to copy';
+    setTimeout(function() { btn.textContent = origText; document.querySelector('.copy-hint').textContent = 'Click to copy'; }, 2000);
   });
 }
 

src/index.ts

@@ -20,7 +20,7 @@ const PORT = parseInt(process.env.PORT || "3100", 10);
 // Load API keys from persistent store
 loadKeys();
 
-app.use(helmet());
+app.use(helmet({ crossOriginResourcePolicy: { policy: "cross-origin" } }));
 
 // CORS — allow browser requests from the landing page
 app.use((req, res, next) => {

src/routes/convert.ts

@@ -18,6 +18,12 @@ interface ConvertBody {
 // POST /v1/convert/html
 convertRouter.post("/html", async (req: Request, res: Response) => {
   try {
+    // Reject non-JSON content types
+    const ct = req.headers["content-type"] || "";
+    if (!ct.includes("application/json")) {
+      res.status(415).json({ error: "Unsupported Content-Type. Use application/json." });
+      return;
+    }
     const body: ConvertBody =
       typeof req.body === "string" ? { html: req.body } : req.body;