security: remove unsafe-eval CSP, fix host header injection, harden API routes

- Remove unsafe-eval from script-src CSP (not needed in production)
- Replace Host/Origin header fallback with NEXT_PUBLIC_APP_URL in share
  and checkout routes to prevent host header injection
- Add .catch() to request.json() in share POST and PATCH routes
- Add rate limiting (3/min) to account deletion endpoint

0 files changed, 0 insertions, 0 deletions