Integrate go-altcha to protect login, change password, lost password,
and reset password forms against automated submissions. Serves the
altcha widget JS from the embedded library, exposes a challenge
endpoint, validates responses server-side with replay prevention, and
updates the CSP to allow self-hosted scripts and WebAssembly.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Set X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP,
and Strict-Transport-Security on all responses to mitigate clickjacking,
MIME sniffing, XSS, and downgrade attacks.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
