feat(security): add Content-Security-Policy

No CSP existed, leaving the app without defense-in-depth against XSS.
Add a SvelteKit nonce-based policy (mode: auto): script-src limited to
self + per-request nonce + the analytics/Vercel script hosts, object-src
none, base-uri and frame-ancestors self. img/style/font/connect stay
permissive (https:) so the image proxy, CDNs, fonts and the many
cross-origin API calls keep working; the two inline app.html scripts
carry %sveltekit.nonce%. Verified in-browser across routes (no
violations, HMR and hydration intact) and via a production build.

0 files changed, 0 insertions, 0 deletions