Security-Hardening (Pentest-Findings F-02 bis F-07)

- CSRF-Schutz: session-gebundenes Token in allen POST-Formularen, serverseitig
  per before_request geprueft; /nic/update ausgenommen (Basic-Auth-API)
- Brute-Force-Schutz: DB-gestuetzter Login-Lockout pro Client-IP
  (5 Fehlversuche -> 15 min), echte IP via ProxyFix/X-Forwarded-For
- SSRF: validate_plesk_url() erzwingt http(s) und blockt Link-Local/Metadata,
  Multicast und reservierte Ziele
- Session-Cookies: HttpOnly, SameSite=Lax, Secure (per Env abschaltbar)
- Security-Header: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Generische Plesk-Fehlermeldungen (keine internen URLs im UI)
- CSS/JS nach static/ ausgelagert -> strikte CSP ohne 'unsafe-inline'
- login_attempts-Tabelle + README-Security-Abschnitt

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app/templates/settings.html

@@ -12,6 +12,7 @@
       <div class="card-header fw-semibold">Plesk-Server</div>
       <div class="card-body">
         <form method="post" action="{{ url_for('settings_plesk') }}">
+          <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
           <div class="mb-3">
             <label class="form-label">Plesk URL</label>
             <input name="plesk_url" type="url" class="form-control font-monospace"
@@ -57,6 +58,7 @@
       <div class="card-header fw-semibold">Admin-Passwort ändern</div>
       <div class="card-body">
         <form method="post" action="{{ url_for('settings_password') }}">
+          <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
           <div class="mb-3">
             <label class="form-label">Aktuelles Passwort</label>
             <input name="current_password" type="password" class="form-control" required>