feat: add security headers to nginx configurations and improve environment variable handling

nginx/learning.conf

@@ -1,6 +1,13 @@
 # Custom nginx configuration for OpenCCB Learning
 # Keep the learning frontend on port 3003 and expose LMS API via same-origin /lms-api.
 
+# Security headers (server level)
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+
 location /lms-api/ {
     rewrite ^/lms-api/(.*)$ /$1 break;
     proxy_pass http://openccb-experience:3002;
@@ -30,11 +37,15 @@ location /cms-api/ {
         add_header Access-Control-Max-Age 86400 always;
         add_header Content-Length 0 always;
         add_header Content-Type "text/plain; charset=utf-8" always;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Content-Type-Options "nosniff" always;
         return 204;
     }
 
     add_header Access-Control-Allow-Origin $cors_origin always;
     add_header Vary "Origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options "nosniff" always;
 
     rewrite ^/cms-api/(.*)$ /$1 break;
     proxy_pass http://openccb-studio:3001;