security: add headers middleware, session regeneration, and body size limits

- Add SecurityHeaders middleware applied globally: HSTS, X-Content-Type-Options,
  X-Frame-Options, CSP, Referrer-Policy, and Permissions-Policy headers on every
  response.
- Add session regeneration (Regenerate method) after successful login to prevent
  session fixation attacks. Old session is destroyed and a new ID is issued.
- Add MaxBodySize middleware using http.MaxBytesReader to limit POST/PUT/PATCH
  request bodies to 1 MB on all form endpoints (/pages, /sources, /source/*).
- Update README.md: document SecurityHeaders and MaxBodySize in the middleware
  stack, update Security section, move security headers to completed TODO.

Closes #34, closes #38, closes #39

internal/handlers/auth.go

@@ -78,14 +78,23 @@ func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {
 			return
 		}
 
-		// Create session
-		sess, err := h.session.Get(r)
+		// Get the current session (may be pre-existing / attacker-set)
+		oldSess, err := h.session.Get(r)
 		if err != nil {
 			h.log.Error("failed to get session", "error", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}
 
+		// Regenerate the session to prevent session fixation attacks.
+		// This destroys the old session ID and creates a new one.
+		sess, err := h.session.Regenerate(r, w, oldSess)
+		if err != nil {
+			h.log.Error("failed to regenerate session", "error", err)
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
+			return
+		}
+
 		// Set user in session
 		h.session.SetUser(sess, user.ID, user.Username)