[SECURITY] Add Content Security Policy headers

[adamghaleb]

Description

No Content Security Policy (CSP) headers are configured in Next.js config. The app loads external scripts and images without CSP restrictions.

External Resources Currently Loaded

• `https://unpkg.com/react-scan/dist/auto.global.js\` (development)
• `https://cdn.databuddy.cc/databuddy.js\`
• Multiple image domains (Unsplash, GitHub avatars, Iconify API)

Risk

• External script injection attacks
• Style-based attacks
• Data exfiltration

Fix

Add CSP headers via `next.config.ts` headers or middleware with appropriate directives for `default-src`, `script-src`, `img-src`, etc.

Files

• `apps/web/next.config.ts`