Proposal: allowed origins per entity

[marcochiodo]

A small but useful addition to the entity settings: a comma-separated list of allowed
origins, similar to what Shynet offers.

The idea is straightforward — when origins are set on an entity, the server would reject
(or silently ignore) incoming events whose Origin header doesn't match the list. No origin set = current open behavior, fully backwards compatible.

This would act as a soft filter against accidental or intentional misuse of a public
entity ID, and nicely rounds out the feature set for self-hosted deployments where you
know exactly which domains should be sending events.

A simple textarea in the entity settings UI with a note like "one origin per line or
comma-separated (e.g. https://example.com)" would be enough.

Would this fit into your roadmap?