fix: add missing security headers to web app

[Preshy]

Security Headers Fix

Summary

This PR addresses the security assessment findings reported in issue #1 by adding the missing security headers to the Next.js web application.

Changes Made

Added the following security headers to apps/web/next.config.ts:

HIGH Priority (Fixes from Issue #1)

1. Content-Security-Policy: Prevents XSS and injection attacks

   • Allows scripts and styles from self with unsafe-inline/eval (needed for Next.js)
   • Allows images from self, data URIs, blobs, and HTTPS sources
   • Allows media and connections from self, HTTPS, and WSS (needed for WebRTC)
   • Blocks frame ancestors and form actions to self only

2. Strict-Transport-Security: Prevents protocol downgrade attacks

   • Sets max-age to 1 year (31536000 seconds)
   • Includes all subdomains

LOW Priority (Fixes from Issue #1)

3. X-XSS-Protection: Enables browser XSS filtering

   • Set to '1; mode=block' for maximum protection

4. Permissions-Policy: Restricts browser feature access

   • Allows camera, microphone, and display-capture for self (required for screen sharing app)
   • Blocks geolocation, payment, and USB access

Security Considerations

• The CSP policy is configured to support the app's functionality (WebRTC, media streams, dynamic content)
• Permissions-Policy allows camera/microphone/display-capture as these are core features for a screen sharing application
• All headers apply to all routes (/(.*) source pattern)

Testing

• ✅ Build passes successfully
• ✅ Next.js config syntax validated
• ⚠️ Some pre-existing test failures (localStorage mocking issues) - unrelated to this change

Fixes #1