fix(security): harden HTTP headers

[singhvishalkr]

Problem

The backend enabled Helmet with default options and allowed credentialed CORS even when CORS_ORIGIN=* was configured. That left security headers and production CORS behavior less explicit than the API needs.

Solution

• Added a typed security config module for Helmet, CORS, and Permissions-Policy.
• Configured CSP, HSTS preload, referrer policy, frameguard, no-sniff, XSS protection, and cross-domain policy headers.
• Tightened CORS so wildcard origins do not allow credentials, while specific origins do.
• Added response-header coverage for the configured middleware.
• Documented the header and CORS behavior in docs/SECURITY.md.

Closes #64

Verification

• npm.cmd ci
• npm.cmd test -- security.config.spec.ts --runInBand
• npm.cmd run build
• npx.cmd eslint src/config/security.config.ts src/config/security.config.spec.ts src/main.ts
• npx.cmd prettier --check docs/SECURITY.md src/config/security.config.ts src/config/security.config.spec.ts src/main.ts
• npx.cmd tsc --noEmit
• git diff --check

[nanaf6203-bit]

Helmet + CORS + Permissions-Policy hardening looks great, and typed Helmet config in security.config.ts is the right call. Merged.