feat: add Content-Security-Policy header for embedded web SPA

Set CSP header on all SPA-served responses to provide defense-in-depth
against XSS. The policy restricts scripts, styles, and all other
resource types to same-origin only, matching the SPA's actual behavior
(external CSS/JS files, same-origin fetch API calls, no WebSockets or
external resources).

internal/server/routes.go

@@ -16,6 +16,11 @@ import (
 
 const routeTimeout = 60 * time.Second
 
+// cspHeader is the Content-Security-Policy applied to the embedded web SPA.
+// The SPA loads external scripts and stylesheets from the same origin only;
+// all API communication uses same-origin fetch (no WebSockets).
+const cspHeader = "default-src 'self'; script-src 'self'; style-src 'self'"
+
 // SetupRoutes configures the HTTP routes and middleware.
 func (srv *Server) SetupRoutes() {
 	srv.router = chi.NewRouter()
@@ -133,6 +138,11 @@ func (srv *Server) setupSPA() {
 		writer http.ResponseWriter,
 		request *http.Request,
 	) {
+		writer.Header().Set(
+			"Content-Security-Policy",
+			cspHeader,
+		)
+
 		readFS, ok := distFS.(fs.ReadFileFS)
 		if !ok {
 			fileServer.ServeHTTP(writer, request)