feat(security): add CSRF header constants and security-headers endpoint

Move X-BanGUI-Request header name/value to backend/app/utils/constants.py as single source of truth. Add GET /api/v1/config/security-headers endpoint. Update csrf middleware, frontend api client, and docs to use shared constants.

frontend/src/api/client.ts

@@ -16,6 +16,7 @@
 
 import { ErrorResponse } from "../types/response";
 import { ENDPOINTS } from "./endpoints";
+import { CSRF_HEADER_NAME, CSRF_HEADER_VALUE } from "../utils/constants";
 
 /** Base URL for all API calls. Falls back to `/api/v1` in production. */
 const BASE_URL: string = import.meta.env.VITE_API_URL ?? "/api/v1";
@@ -173,7 +174,7 @@ async function request<T>(url: string, options: RequestInit = {}): Promise<T> {
 
     // Only set CSRF header for state-mutating requests (not for GET/HEAD/OPTIONS).
     if (isMutatingMethod) {
-      headers["X-BanGUI-Request"] = "1";
+      headers[CSRF_HEADER_NAME] = CSRF_HEADER_VALUE;
     }
 
     // Always add correlation ID for distributed tracing

frontend/src/utils/constants.ts

@@ -38,3 +38,13 @@ export const STORAGE_KEY_SIDEBAR_COLLAPSED = "bangui_sidebar_collapsed" as const
 
 /** LocalStorage key for theme preference. */
 export const STORAGE_KEY_THEME = "bangui_theme" as const;
+
+// ---------------------------------------------------------------------------
+// Security
+// ---------------------------------------------------------------------------
+
+/** CSRF header name - must match backend/app/utils/constants.py CSRF_HEADER_NAME. */
+export const CSRF_HEADER_NAME = "X-BanGUI-Request" as const;
+
+/** CSRF header required value - must match backend/app/utils/constants.py CSRF_HEADER_VALUE. */
+export const CSRF_HEADER_VALUE = "1" as const;