- Add SecurityHeaders middleware applied globally: HSTS, X-Content-Type-Options,
X-Frame-Options, CSP, Referrer-Policy, and Permissions-Policy headers on every
response.
- Add session regeneration (Regenerate method) after successful login to prevent
session fixation attacks. Old session is destroyed and a new ID is issued.
- Add MaxBodySize middleware using http.MaxBytesReader to limit POST/PUT/PATCH
request bodies to 1 MB on all form endpoints (/pages, /sources, /source/*).
- Update README.md: document SecurityHeaders and MaxBodySize in the middleware
stack, update Security section, move security headers to completed TODO.
Closes#34, closes#38, closes#39
