barkd: replace permissive CORS with deny-all default

• check or remove this line after you've added a CHANGELOG entry or if your PR doesn't need one (they should go into CHANGELOG/unreleased/)

Current CORS policy is permissive. I changed it to a default of restrictive with the option of whitelisting in config or env vars and flags.

I tested locally and it worked.