Harden security: CORS, XSS, rate limiting, CSP, SRI

- Lock down CORS to ALLOWED_ORIGINS env var (was wildcard)
- Fix admin panel XSS: use data-username attributes instead of
  interpolating usernames into onclick handlers
- Add rate limiting to /api/auth/register (3r/m) and /api/admin/*
  (10r/m); set limit_req_status 429
- Add Content-Security-Policy header restricting scripts to self
  and cdn.jsdelivr.net
- Add Subresource Integrity hash to Chart.js CDN script tag

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/main.py

@@ -112,11 +112,13 @@ async def lifespan(app: FastAPI):
 
 app = FastAPI(title="Yolkbook API", lifespan=lifespan)
 
+_cors_origins = [o.strip() for o in os.environ.get("ALLOWED_ORIGINS", "").split(",") if o.strip()]
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_origins=_cors_origins,
+    allow_credentials=True,
+    allow_methods=["GET", "POST", "PUT", "DELETE"],
+    allow_headers=["Authorization", "Content-Type"],
 )
 
 app.include_router(auth_router.router)