Security headers baseline

This site ships a conservative CSP and common hardening headers via next.config.mjs.

Adjust CSP based on third-party scripts (analytics, chat, etc.).