security: add headers middleware, session regeneration, and body size limits (#41)

## Summary

This PR implements three security hardening measures:

### Security Headers Middleware (closes #34)

Adds a `SecurityHeaders()` middleware applied globally to all routes. Every response now includes:
- `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`
- `X-Content-Type-Options: nosniff`
- `X-Frame-Options: DENY`
- `Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'`
- `Referrer-Policy: strict-origin-when-cross-origin`
- `Permissions-Policy: camera=(), microphone=(), geolocation=()`

### Session Fixation Prevention (closes #38)

Adds a `Regenerate()` method to the session manager that destroys the old session and creates a new one with a fresh ID, copying all session values. Called after successful login to prevent session fixation attacks.

### Request Body Size Limits (closes #39)

Adds a `MaxBodySize()` middleware using `http.MaxBytesReader` to limit POST/PUT/PATCH request bodies to 1 MB. Applied to all form endpoints (`/pages`, `/sources`, `/source/*`).

## Files Changed

- `internal/middleware/middleware.go` — Added `SecurityHeaders()` and `MaxBodySize()` middleware
- `internal/session/session.go` — Added `Regenerate()` method for session fixation prevention
- `internal/handlers/auth.go` — Updated login handler to regenerate session after authentication
- `internal/server/routes.go` — Added SecurityHeaders globally, MaxBodySize to form route groups
- `README.md` — Documented new middleware in stack, updated Security section, moved items to completed TODO

closes #34, closes #38, closes #39

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Reviewed-on: #41
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

internal/server/routes.go

@@ -11,12 +11,18 @@ import (
 	"sneak.berlin/go/webhooker/static"
 )
 
+// maxFormBodySize is the maximum allowed request body size (in bytes) for
+// form POST endpoints.  1 MB is generous for any form submission while
+// preventing abuse from oversized payloads.
+const maxFormBodySize int64 = 1 * 1024 * 1024 // 1 MB
+
 func (s *Server) SetupRoutes() {
 	s.router = chi.NewRouter()
 
 	// Global middleware stack — applied to every request.
 	s.router.Use(middleware.Recoverer)
 	s.router.Use(middleware.RequestID)
+	s.router.Use(s.mw.SecurityHeaders())
 	s.router.Use(s.mw.Logging())
 
 	// Metrics middleware (only if credentials are configured)
@@ -60,6 +66,8 @@ func (s *Server) SetupRoutes() {
 
 	// pages that are rendered server-side
 	s.router.Route("/pages", func(r chi.Router) {
+		r.Use(s.mw.MaxBodySize(maxFormBodySize))
+
 		// Login page (no auth required)
 		r.Get("/login", s.h.HandleLoginPage())
 		r.Post("/login", s.h.HandleLoginSubmit())
@@ -76,6 +84,7 @@ func (s *Server) SetupRoutes() {
 	// Webhook management routes (require authentication)
 	s.router.Route("/sources", func(r chi.Router) {
 		r.Use(s.mw.RequireAuth())
+		r.Use(s.mw.MaxBodySize(maxFormBodySize))
 		r.Get("/", s.h.HandleSourceList())             // List all webhooks
 		r.Get("/new", s.h.HandleSourceCreate())        // Show create form
 		r.Post("/new", s.h.HandleSourceCreateSubmit()) // Handle create submission
@@ -83,6 +92,7 @@ func (s *Server) SetupRoutes() {
 
 	s.router.Route("/source/{sourceID}", func(r chi.Router) {
 		r.Use(s.mw.RequireAuth())
+		r.Use(s.mw.MaxBodySize(maxFormBodySize))
 		r.Get("/", s.h.HandleSourceDetail())                                       // View webhook details
 		r.Get("/edit", s.h.HandleSourceEdit())                                     // Show edit form
 		r.Post("/edit", s.h.HandleSourceEditSubmit())                              // Handle edit submission