Harden security, polish admin UI and document Windows WebDAV

- helmet, express-rate-limit (login/setup/customer-auth/me-password)
- Constant-time login (bcrypt always runs against a dummy hash on miss)
- Cookie secure flag follows req.protocol; trust proxy is env-gated to
  prevent X-Forwarded-For spoofing on direct exposure
- Drop SVG from accepted logo types (same-origin XSS) and resolve the
  served logo path against LOGO_DIR as defense in depth
- Self-service /me/password endpoint plus header button; bumps minimum
  password length to 8 across backend, prompts and edit modal
- Multer 1.x → 2.x for current security backports
- Customer edit modal replaces stacked prompts; user role is now an
  inline dropdown with a confirm-and-revert flow
- Windows .reg helper plus README section for Basic-Auth-over-HTTP and
  the http:// vs \\HOST@PORT\DavWWWRoot\ mapping syntax

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.env.example

@@ -1,3 +1,12 @@
 # Ports, auf denen die Services vom Host erreichbar sind.
 APP_PORT=3500
 WEBDAV_PORT=1900
+
+# Auf "true" setzen, wenn die App hinter einem Reverse-Proxy (nginx/Traefik/Caddy)
+# läuft, der X-Forwarded-For/-Proto setzt. Sonst bitte aus lassen, sonst können
+# Angreifer per gespooften X-Forwarded-For die Rate-Limits umgehen.
+# TRUST_PROXY=true
+
+# Erzwingt das "Secure"-Flag auf Session-Cookies (für HTTPS-only Setups).
+# Wenn TRUST_PROXY=true gesetzt ist, wird das automatisch erkannt.
+# SECURE_COOKIES=true