security: enable CSRF, HSTS, and CSP in shield config

- Enable CSRF protection with XSRF cookie for Inertia.js/React SPA
- Enable HSTS with 180-day max-age and includeSubDomains
- Enable CSP with nonce-based script policy, unsafe-inline for Tailwind
  styles, and restrictive defaults for frames/objects
- Allow map tile sources in img-src for offline map support

https://claude.ai/code/session_01JFvpTYgm8GiE4vJ4cJKsFx

admin/config/shield.ts

@@ -6,8 +6,19 @@ const shieldConfig = defineConfig({
    * to learn more
    */
   csp: {
-    enabled: false,
-    directives: {},
+    enabled: true,
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", '@nonce'],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", 'data:', 'blob:', 'https://*.tile.openstreetmap.org'],
+      fontSrc: ["'self'"],
+      connectSrc: ["'self'"],
+      frameSrc: ["'none'"],
+      objectSrc: ["'none'"],
+      baseUri: ["'self'"],
+      formAction: ["'self'"],
+    },
     reportOnly: false,
   },
 
@@ -16,7 +27,7 @@ const shieldConfig = defineConfig({
    * to learn more
    */
   csrf: {
-    enabled: false, // TODO: Enable CSRF protection
+    enabled: true,
     exceptRoutes: [],
     enableXsrfCookie: true,
     methods: ['POST', 'PUT', 'PATCH', 'DELETE'],
@@ -35,8 +46,9 @@ const shieldConfig = defineConfig({
    * Force browser to always use HTTPS
    */
   hsts: {
-    enabled: false, // TODO: Enable HSTS in production
+    enabled: true,
     maxAge: '180 days',
+    includeSubDomains: true,
   },
 
   /**