feat: add CSRF protection, SSRF prevention, and login rate limiting

Security hardening implementing three issues:

CSRF Protection (#35):
- Session-based CSRF tokens with cryptographically random generation
- Constant-time token comparison to prevent timing attacks
- CSRF middleware applied to /pages, /sources, /source, and /user routes
- Hidden csrf_token field added to all 12+ POST forms in templates
- Excluded from /webhook (inbound) and /api (stateless) routes

SSRF Prevention (#36):
- ValidateTargetURL blocks private/reserved IP ranges at target creation
- Blocked ranges: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12,
  192.168.0.0/16, 169.254.0.0/16, ::1, fc00::/7, fe80::/10, plus
  multicast, reserved, test-net, and CGN ranges
- SSRF-safe HTTP transport with custom DialContext for defense-in-depth
  at delivery time (prevents DNS rebinding attacks)
- Only http/https schemes allowed

Login Rate Limiting (#37):
- Per-IP rate limiter using golang.org/x/time/rate
- 5 attempts per minute per IP on POST /pages/login
- GET requests (form rendering) pass through unaffected
- Automatic cleanup of stale per-IP limiter entries
- X-Forwarded-For and X-Real-IP header support for reverse proxies

Closes #35, closes #36, closes #37

templates/source_detail.html

@@ -17,6 +17,7 @@
                 <a href="/source/{{.Webhook.ID}}/logs" class="btn-secondary">Event Log</a>
                 <a href="/source/{{.Webhook.ID}}/edit" class="btn-secondary">Edit</a>
                 <form method="POST" action="/source/{{.Webhook.ID}}/delete" onsubmit="return confirm('Delete this webhook and all its data?')">
+                    <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                     <button type="submit" class="btn-danger">Delete</button>
                 </form>
             </div>
@@ -39,6 +40,7 @@
             <!-- Add entrypoint form -->
             <div x-show="showAddEntrypoint" x-cloak class="p-4 bg-gray-50 border-b border-gray-200">
                 <form method="POST" action="/source/{{.Webhook.ID}}/entrypoints" class="flex gap-2">
+                    <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                     <input type="text" name="description" placeholder="Description (optional)" class="input text-sm flex-1">
                     <button type="submit" class="btn-primary text-sm">Add</button>
                 </form>
@@ -56,11 +58,13 @@
                             <span class="badge-error">Inactive</span>
                             {{end}}
                             <form method="POST" action="/source/{{$.Webhook.ID}}/entrypoints/{{.ID}}/toggle" class="inline">
+                                <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                                 <button type="submit" class="text-xs text-gray-500 hover:text-primary-600" title="{{if .Active}}Deactivate{{else}}Activate{{end}}">
                                     {{if .Active}}Deactivate{{else}}Activate{{end}}
                                 </button>
                             </form>
                             <form method="POST" action="/source/{{$.Webhook.ID}}/entrypoints/{{.ID}}/delete" onsubmit="return confirm('Delete this entrypoint?')" class="inline">
+                                <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                                 <button type="submit" class="text-xs text-red-500 hover:text-red-700" title="Delete">Delete</button>
                             </form>
                         </div>
@@ -88,6 +92,7 @@
             <!-- Add target form -->
             <div x-show="showAddTarget" x-cloak class="p-4 bg-gray-50 border-b border-gray-200">
                 <form method="POST" action="/source/{{.Webhook.ID}}/targets" x-data="{ targetType: 'http' }" class="space-y-3">
+                    <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                     <div class="flex gap-2">
                         <input type="text" name="name" placeholder="Target name" required class="input text-sm flex-1">
                         <select name="type" x-model="targetType" class="input text-sm w-32">
@@ -120,11 +125,13 @@
                             <span class="badge-error">Inactive</span>
                             {{end}}
                             <form method="POST" action="/source/{{$.Webhook.ID}}/targets/{{.ID}}/toggle" class="inline">
+                                <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                                 <button type="submit" class="text-xs text-gray-500 hover:text-primary-600" title="{{if .Active}}Deactivate{{else}}Activate{{end}}">
                                     {{if .Active}}Deactivate{{else}}Activate{{end}}
                                 </button>
                             </form>
                             <form method="POST" action="/source/{{$.Webhook.ID}}/targets/{{.ID}}/delete" onsubmit="return confirm('Delete this target?')" class="inline">
+                                <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                                 <button type="submit" class="text-xs text-red-500 hover:text-red-700" title="Delete">Delete</button>
                             </form>
                         </div>