Missing browser security response headers

The dashboard shipped without CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, or HSTS, leaving it exposed to clickjacking, MIME-sniffing, and missing the standard defense-in-depth layer against same-origin XSS. Fixed by adding the standard security header set in next.config.ts.

No CSP, no X-Frame-Options, no HSTS — clickjacking and MIME-sniffing were possible against the dashboard.