fix(security): address XSS and TLS verification issues

- Escape spec_id and library in fallback title (XSS prevention)
- Escape preview_url with quote=True before inserting in HTML template
- Enable proxy_ssl_verify for backend proxy to prevent MITM attacks
- Add trusted CA certificate path for TLS verification

Addresses Copilot and GitHub Advanced Security findings.

🤖 Generated with [Claude Code](https://claude.ai/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: MarkusNeusinger

api/routers/seo.py

@@ -154,7 +154,7 @@ async def seo_spec_implementation(
         # Fallback when DB unavailable
         return HTMLResponse(
             BOT_HTML_TEMPLATE.format(
-                title=f"{spec_id} - {library} | pyplots.ai",
+                title=f"{html.escape(spec_id)} - {html.escape(library)} | pyplots.ai",
                 description=DEFAULT_DESCRIPTION,
                 image=DEFAULT_IMAGE,
                 url=f"https://pyplots.ai/{html.escape(spec_id)}/{html.escape(library)}",
@@ -174,7 +174,7 @@ async def seo_spec_implementation(
         BOT_HTML_TEMPLATE.format(
             title=f"{html.escape(spec.title)} - {html.escape(library)} | pyplots.ai",
             description=html.escape(spec.description or DEFAULT_DESCRIPTION),
-            image=image,
+            image=html.escape(image, quote=True),
             url=f"https://pyplots.ai/{html.escape(spec_id)}/{html.escape(library)}",
         )
     )

app/nginx.conf

@@ -46,6 +46,8 @@ server {
         proxy_pass https://api.pyplots.ai/seo-proxy$request_uri;
         proxy_set_header Host api.pyplots.ai;
         proxy_ssl_server_name on;
+        proxy_ssl_verify on;
+        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
     }
 
     # SPA routing - serve index.html for all routes