remove HTTP hardening checklist from NEW_REPO_CHECKLIST.md

New repos aren't HTTP services at creation time — these items only
make sense in EXISTING_REPO_CHECKLIST.md (for 1.0 prep) and in the
policy itself (REPO_POLICIES.md).

prompts/NEW_REPO_CHECKLIST.md

@@ -1,6 +1,6 @@
 ---
 title: New Repo Checklist
-last_modified: 2026-03-10
+last_modified: 2026-02-22
 ---
 
 Use this checklist when creating a new repository from scratch. Follow the steps
@@ -84,22 +84,7 @@ Template files can be fetched from:
 - [ ] No unnecessary files in repo root
 - [ ] All dates written as YYYY-MM-DD
 
-# 5. HTTP Service Hardening (if the repo is an HTTP/web service targeting 1.0)
+# 5. Merge and Set Up
-
-- [ ] Security headers middleware configured (HSTS, CSP, X-Frame-Options,
-      X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
-- [ ] Request body size limits enforced on all endpoints
-- [ ] HTTP server read/write/idle timeouts configured (slowloris defense)
-- [ ] Per-handler execution time limits in place
-- [ ] Rate limiting on password-based authentication endpoints
-- [ ] CSRF tokens on all state-mutating HTML forms
-- [ ] Password hashing uses bcrypt, scrypt, or argon2
-- [ ] Session cookies set with HttpOnly, Secure, and SameSite attributes
-- [ ] True client IP detection configured with trusted proxy allowlist
-- [ ] CORS restricted to explicit origin allowlist for authenticated endpoints
-- [ ] Error responses never leak stack traces, SQL queries, or internal paths
-
-# 6. Merge and Set Up
 
 - [ ] Commit, merge to `main`
 - [ ] `make hooks` to install pre-commit hook