feat: add CSRF protection, SSRF prevention, and login rate limiting (#42)

## Security Hardening

This PR implements three security hardening issues:

### CSRF Protection (closes #35)

- Session-based CSRF tokens with cryptographically random 256-bit generation
- Constant-time token comparison to prevent timing attacks
- CSRF middleware applied to `/pages`, `/sources`, `/source`, and `/user` routes
- Hidden `csrf_token` field added to all 12+ POST forms in templates
- Excluded from `/webhook` (inbound webhook POSTs) and `/api` (stateless API)

### SSRF Prevention (closes #36)

- `ValidateTargetURL()` blocks private/reserved IP ranges at target creation time
- Blocked ranges: `127.0.0.0/8`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `169.254.0.0/16`, `::1`, `fc00::/7`, `fe80::/10`, plus multicast, reserved, test-net, and CGN ranges
- SSRF-safe HTTP transport with custom `DialContext` in the delivery engine for defense-in-depth (prevents DNS rebinding attacks)
- Only `http` and `https` schemes allowed

### Login Rate Limiting (closes #37)

- Per-IP rate limiter using `golang.org/x/time/rate`
- 5 attempts per minute per IP on `POST /pages/login`
- GET requests (form rendering) pass through unaffected
- Automatic cleanup of stale per-IP limiter entries every 5 minutes
- `X-Forwarded-For` and `X-Real-IP` header support for reverse proxies

### Files Changed

**New files:**
- `internal/middleware/csrf.go` + tests — CSRF middleware
- `internal/middleware/ratelimit.go` + tests — Login rate limiter
- `internal/delivery/ssrf.go` + tests — SSRF validation + safe transport

**Modified files:**
- `internal/server/routes.go` — Wire CSRF and rate limit middleware
- `internal/handlers/handlers.go` — Inject CSRF token into template data
- `internal/handlers/source_management.go` — SSRF validation on target creation
- `internal/delivery/engine.go` — SSRF-safe HTTP transport for production
- All form templates — Added hidden `csrf_token` fields
- `README.md` — Updated Security section and TODO checklist

`docker build .` passes (lint + tests + build).

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Co-authored-by: clawbot <clawbot@eeqj.de>
Co-authored-by: Jeffrey Paul <sneak@noreply.example.org>
Reviewed-on: #42
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

internal/server/routes.go

@@ -64,13 +64,18 @@ func (s *Server) SetupRoutes() {
 		})
 	}
 
-	// pages that are rendered server-side
+	// pages that are rendered server-side — CSRF-protected, body-size
+	// limited, and with per-IP rate limiting on the login endpoint.
 	s.router.Route("/pages", func(r chi.Router) {
+		r.Use(s.mw.CSRF())
 		r.Use(s.mw.MaxBodySize(maxFormBodySize))
 
-		// Login page (no auth required)
-		r.Get("/login", s.h.HandleLoginPage())
-		r.Post("/login", s.h.HandleLoginSubmit())
+		// Login page — rate-limited to prevent brute-force attacks
+		r.Group(func(r chi.Router) {
+			r.Use(s.mw.LoginRateLimit())
+			r.Get("/login", s.h.HandleLoginPage())
+			r.Post("/login", s.h.HandleLoginSubmit())
+		})
 
 		// Logout (auth required)
 		r.Post("/logout", s.h.HandleLogout())
@@ -78,11 +83,13 @@ func (s *Server) SetupRoutes() {
 
 	// User profile routes
 	s.router.Route("/user/{username}", func(r chi.Router) {
+		r.Use(s.mw.CSRF())
 		r.Get("/", s.h.HandleProfile())
 	})
 
-	// Webhook management routes (require authentication)
+	// Webhook management routes (require authentication, CSRF-protected)
 	s.router.Route("/sources", func(r chi.Router) {
+		r.Use(s.mw.CSRF())
 		r.Use(s.mw.RequireAuth())
 		r.Use(s.mw.MaxBodySize(maxFormBodySize))
 		r.Get("/", s.h.HandleSourceList())             // List all webhooks
@@ -91,6 +98,7 @@ func (s *Server) SetupRoutes() {
 	})
 
 	s.router.Route("/source/{sourceID}", func(r chi.Router) {
+		r.Use(s.mw.CSRF())
 		r.Use(s.mw.RequireAuth())
 		r.Use(s.mw.MaxBodySize(maxFormBodySize))
 		r.Get("/", s.h.HandleSourceDetail())                                       // View webhook details