Security Hardening
- Added HTTP security headers — X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers are now set on all responses to protect against clickjacking and MIME-sniffing attacks
- Secure session cookies on HTTPS — Session cookies now include the
Secureflag automatically when the server is accessed over HTTPS (HTTP/LAN deployments are unaffected) - Fixed wheel CVE-2026-24049 (CVSS 7.1) — Upgraded Python
wheelpackage to v0.46.3 in Docker image