Error Codes, Real Limits, and Why CORS Is Not Security

We shipped a bunch of “boring but important” updates to the Gameboy app and its API, and they actually make the whole thing feel more legit. The frontend now shows real error codes with a “Visit docs to troubleshoot” prompt, and the Docs page walks through each code with actual fixes instead of hand-wavy vibes. That alone turned “something broke” into a fast, repeatable diagnosis. On the API side we tightened CORS to the actual web origins (Amplify + gameboy.getawd.com) and added IP rate limiting. That lets people hit the API without it turning into an accidental load test. We also added an option to fetch only the original 151, because nostalgia deserves precision. The big takeaway: CORS is for browsers, not security. Real guardrails come from things like rate limits, sane defaults, and clear docs.