Our services always sit behind a TLS-terminating reverse proxy and
listen on plain HTTP. Updated the TLS subsection to state this as
policy rather than presenting it as one of two options.
New repos aren't HTTP services at creation time — these items only
make sense in EXISTING_REPO_CHECKLIST.md (for 1.0 prep) and in the
policy itself (REPO_POLICIES.md).
Add comprehensive security hardening requirements to REPO_POLICIES.md
that HTTP/web services must satisfy before tagging 1.0. Covers security
headers (HSTS, CSP, XFO, X-Content-Type-Options, Referrer-Policy,
Permissions-Policy), request/response limits, slowloris timeouts, rate
limiting on password auth, CSRF, session cookie security, reverse proxy
IP detection, CORS restrictions, and error handling.
Also add corresponding checklist sections to EXISTING_REPO_CHECKLIST.md
and NEW_REPO_CHECKLIST.md for verification during repo setup.
