validate_origin() only allowed localhost origins by default, causing
production WebSocket connections to be rejected. Now it reads
APP_DOMAIN_URL and APP_STATIC_DOMAIN from env and automatically
adds their http/https/ws/wss variants to the allowed origins list.
Also add APP_DOMAIN_URL to the production configmap.
Without a shared cookie signing key, each pod generates a random key on
startup. Requests that hit different pods fail session validation, causing
CaptchaError when the captcha and login requests route to different pods.
