Cross-Origin API for a React Dashboard

Problem Description

A startup has built a React dashboard at http://localhost:5173 and https://dashboard.example.com that needs to talk to a Go REST API. The frontend engineers are seeing CORS errors in the browser console and the security team has flagged that the server responses are missing several browser security headers. The Go API currently has no CORS configuration or security headers at all.

Your job is to build a small Go HTTP server that exposes two endpoints and is properly configured to work with the React dashboard. The API should handle cross-origin requests safely and add the standard browser security headers that the security team requires.

Output Specification

Create a Go module in the ./api/ directory. The server should:

• Expose GET /api/health returning {"status":"ok"}
• Expose GET /api/items returning a JSON array of items (can be hardcoded sample data)

The server must be runnable with go run ./api/ and should listen on port 8080 by default. Produce a README.md in ./api/ describing how to configure and run the server, including what environment variables it accepts.

Write a verify.sh script that starts the server in the background, makes a couple of test requests with curl including preflight OPTIONS requests, captures the response headers to a file header_dump.txt, then stops the server.