Move security headers from Caddyfiles to PHP middleware

- Add SecurityHeadersMiddleware that sets Content-Security-Policy,
  X-Content-Type-Options, X-Frame-Options, X-Permitted-Cross-Domain-Policies,
  X-DNS-Prefetch-Control, Referrer-Policy, and X-Robots-Tag on all responses
- Register SecurityHeadersMiddleware in index.php
- Add click-handlers.js for CSP-compliant event handling (data-confirm,
  data-stop-event-propagation)
- Update toggle-dark-mode.js to attach click handler via addEventListener
- Remove inline onclick from theme toggle button in layout.twig
- Replace all inline onclick with data-confirm in containers.twig,
  community-containers.twig, and optional-containers.twig

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d87889ba-d2ad-4d76-b257-2afd725dac28

php/public/index.php

@@ -55,6 +55,9 @@ $twig->addExtension(new \AIO\Twig\CsrfExtension($container->get(Guard::class)));
 // Auth Middleware
 $app->add(new \AIO\Middleware\AuthMiddleware($container->get(\AIO\Auth\AuthManager::class)));
 
+// Security Headers Middleware
+$app->add(new \AIO\Middleware\SecurityHeadersMiddleware());
+
 // API
 $app->post('/api/docker/watchtower', AIO\Controller\DockerController::class . ':StartWatchtowerContainer');
 $app->get('/api/docker/getwatchtower', AIO\Controller\DockerController::class . ':StartWatchtowerContainer');