Security headers (CSP, XFO, X-Content-Type-Options)

## Problem
Missing standard hardened security headers (CSP, XFO, X-Content-Type-Options, etc.).

## Proposal
- Add middleware to append CSP, X-Frame-Options, SameSite, X-Content-Type-Options headers.
- CSP blocks inline scripts but allows required sources.
- Document CSP exceptions for Blazor.
- Target good rating on securityheaders.com.

## Alternatives considered
- Use default ASP.NET Core headers only.

## Acceptance criteria
- [ ] CSP blocks inline scripts; allow required sources
- [ ] X-Frame-Options/SameSite/XCTO set
- [ ] Good rating on securityheaders.com

## Technical notes
- Middleware to append headers
- Document CSP exceptions for Blazor

## Risks
- CSP misconfiguration may break app functionality.

## Additional context
Labels: security

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security headers (CSP, XFO, X-Content-Type-Options) #35

Problem

Proposal

Alternatives considered

Acceptance criteria

Technical notes

Risks

Additional context

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security headers (CSP, XFO, X-Content-Type-Options) #35

Description

Problem

Proposal

Alternatives considered

Acceptance criteria

Technical notes

Risks

Additional context

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions