notkshitij
04f291910f
- All requests now require HTTPS. - Stateless sessions enabled for JWT-based auth. - XSS, HSTS, and Frame-Options headers added. - /api/auth/** is public, all other routes require authentication. - CSRF disabled (assumes token-based auth).