feat: Add security response headers

Add X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and
Permissions-Policy headers to all responses from blog and wallet apps.

These headers provide defense-in-depth protection:
- X-Content-Type-Options: nosniff - prevents MIME-sniffing attacks
- X-Frame-Options: SAMEORIGIN - prevents clickjacking
- Referrer-Policy: strict-origin-when-cross-origin - controls referrer leakage
- Permissions-Policy: disables unused browser features

CSP is intentionally not included yet - it will be added separately
after proper testing with Report-Only mode.

Also adds documentation for nginx configuration to avoid header
conflicts and duplication between app and reverse proxy.