Description

Add comprehensive security headers via the Helmet middleware, including a
strict Content-Security-Policy with per-request nonces for inline scripts.
This provides defense-in-depth against XSS — even if sanitization fails,
injected scripts are blocked by the browser.

Fixes #59

Changes Made

• server.js — Added Helmet middleware with strict CSP using per-request
  nonces, plus X-Frame-Options, X-Content-Type-Options, Referrer-Policy,
  Strict-Transport-Security, and more. Added nonce injection middleware
  that replaces __NONCE__ placeholders in HTML files with a fresh
  cryptographic nonce per request.
• frontend/leaderboard.html — Added nonce="__NONCE__" to inline
  script tag. Converted inline onclick handlers to addEventListener.
• frontend/registration.html — Same nonce + event listener conversion.
• package.json — Added helmet dependency.

CSP Directives

• default-src 'self'
• script-src 'self' 'nonce-<random>' — inline scripts need nonce
• style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
• font-src 'self' https://fonts.gstatic.com
• img-src 'self' data:
• object-src 'none' — no plugins
• frame-ancestors 'none' — clickjacking protection
• script-src-attr 'none' — blocks inline event handlers

Type of Change

• Bug fix

Testing

• Tested locally — all pages load, CSP headers verified via curl
• Nonce uniqueness verified (different per request)
• .html redirect preserves nonce injection
• No console errors introduced

Checklist

• I have updated documentation if required
• My code follows the project's coding style
• I have formatted my code locally using Prettier
• I have performed a self-review of my code
• My changes generate no new warnings or errors
• I have linked the relevant issue