fix: harden security based on pentest scan findings

- Add Content-Security-Policy to main nginx server block (was only on /admin/)
- Add Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy headers
- Add includeSubDomains to HSTS header
- Set HttpOnly, Secure, SameSite=Lax session cookie params on public pages
  (AdminAuth already hardens the /admin session with SameSite=Strict)
- Update xamxam.conf.reference and SECURITY_HEADERS.md to match

nginx/xamxam.conf.reference

@@ -34,12 +34,14 @@ server {
     index index.php index.html index.htm;
 
     # Security headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
+    add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
-    # X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers.
-    # CSP (Content-Security-Policy) is the correct mitigation.
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+    add_header Cross-Origin-Resource-Policy "same-origin" always;
 
     # Server tokens already disabled in nginx.conf
     # server_tokens off;