feat: add security headers to nginx configurations and improve environment variable handling

nginx/studio.conf

@@ -1,6 +1,13 @@
 # Custom nginx configuration for OpenCCB Studio
 # This overrides the default location block to route API requests correctly
 
+# Security headers (server level - heredados por location blocks sin add_header propios)
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+
 # Allow large ZIP uploads (RAG bulk import can exceed 2GB).
 client_max_body_size 4096m;
 client_body_timeout 43200s;
@@ -45,11 +52,15 @@ location /cms-api/ {
         add_header Access-Control-Max-Age 86400 always;
         add_header Content-Length 0 always;
         add_header Content-Type "text/plain; charset=utf-8" always;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Content-Type-Options "nosniff" always;
         return 204;
     }
 
     add_header Access-Control-Allow-Origin $cors_origin always;
     add_header Vary "Origin" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options "nosniff" always;
 
     rewrite ^/cms-api/(.*)$ /$1 break;
     proxy_pass http://openccb-studio:3001;