Use SecureRandom for CSP nonce instead of session ID

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: dadachi

config/initializers/content_security_policy.rb

@@ -19,7 +19,7 @@
   end
 
   # Generate session nonces for permitted importmap and inline scripts.
-  config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+  config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) }
   config.content_security_policy_nonce_directives = %w[script-src]
 
   # Report violations without enforcing the policy.