6293a62e47
Adds Strict-Transport-Security (2y, includeSubDomains, preload) and a Permissions-Policy that allows only the features the app uses (camera/mic/ display-capture for calls, geolocation for location share, autoplay/fullscreen/ encrypted-media) and denies the rest. Complements the existing X-Frame/CSP/ Referrer headers. Apply: reload nginx on the LXC. TLS terminates upstream (listen 80), so verify the header reaches the browser (front proxy must pass it through) — else set HSTS at the TLS terminator. Verify a call + location share still work. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>