Move security headers from Caddyfiles to PHP middleware

- Add SecurityHeadersMiddleware that sets Content-Security-Policy,
  X-Content-Type-Options, X-Frame-Options, X-Permitted-Cross-Domain-Policies,
  X-DNS-Prefetch-Control, Referrer-Policy, and X-Robots-Tag on all responses
- Register SecurityHeadersMiddleware in index.php
- Add click-handlers.js for CSP-compliant event handling (data-confirm,
  data-stop-event-propagation)
- Update toggle-dark-mode.js to attach click handler via addEventListener
- Remove inline onclick from theme toggle button in layout.twig
- Replace all inline onclick with data-confirm in containers.twig,
  community-containers.twig, and optional-containers.twig

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d87889ba-d2ad-4d76-b257-2afd725dac28

php/public/toggle-dark-mode.js

@@ -32,4 +32,7 @@ function setThemeIcon(theme) {
 setThemeToDOM(getSavedTheme());
 
 // Apply theme when the page loads
-document.addEventListener('DOMContentLoaded', () => setThemeIcon(getSavedTheme()));
+document.addEventListener('DOMContentLoaded', () => {
+    setThemeIcon(getSavedTheme())
+    document.querySelector('button#theme-toggle')?.addEventListener('click', toggleTheme);
+});