security: Add HTTP security headers

Add protective headers to prevent common attacks:
- X-Frame-Options: SAMEORIGIN (clickjacking)
- X-Content-Type-Options: nosniff (MIME sniffing)
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: disable camera/mic/geo
- X-XSS-Protection: legacy XSS filter

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: PJCoops

next.config.ts

@@ -1,7 +1,40 @@
 import type { NextConfig } from "next";
 
 const nextConfig: NextConfig = {
-  /* config options here */
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          {
+            key: "X-DNS-Prefetch-Control",
+            value: "on",
+          },
+          {
+            key: "X-Frame-Options",
+            value: "SAMEORIGIN",
+          },
+          {
+            key: "X-Content-Type-Options",
+            value: "nosniff",
+          },
+          {
+            key: "Referrer-Policy",
+            value: "strict-origin-when-cross-origin",
+          },
+          {
+            key: "Permissions-Policy",
+            value:
+              "camera=(), microphone=(), geolocation=(), interest-cohort=()",
+          },
+          {
+            key: "X-XSS-Protection",
+            value: "1; mode=block",
+          },
+        ],
+      },
+    ];
+  },
 };
 
 export default nextConfig;