Implement security headers middleware

Adds X-Content-Type-Options, X-Frame-Options, Referrer-Policy,
and X-XSS-Protection headers to all responses.

internal/middleware/middleware.go

@@ -135,10 +135,22 @@ func (s *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 }
 
 // SecurityHeaders returns a middleware that adds security headers to responses.
+// These headers help protect against common web vulnerabilities.
 func (s *Middleware) SecurityHeaders() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// TODO: implement security headers
+			// Prevent MIME type sniffing
+			w.Header().Set("X-Content-Type-Options", "nosniff")
+
+			// Prevent clickjacking
+			w.Header().Set("X-Frame-Options", "DENY")
+
+			// Control referrer information
+			w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+
+			// Disable XSS filtering (modern browsers don't need it, can cause issues)
+			w.Header().Set("X-XSS-Protection", "0")
+
 			next.ServeHTTP(w, r)
 		})
 	}

internal/server/routes.go

@@ -17,6 +17,7 @@ func (s *Server) SetupRoutes() {
 
 	s.router.Use(middleware.Recoverer)
 	s.router.Use(middleware.RequestID)
+	s.router.Use(s.mw.SecurityHeaders())
 	s.router.Use(s.mw.Logging())
 
 	// Add metrics middleware only if credentials are configured