feat: Enhance gin security and configuration options

[timokoessler]

Type of change

• 🐛 Bug fix
• 🚀 New feature
• ❓ Other (please specify)

Description

• The following config options are added: APP_URL, HOST (optional), TRUSTED_PROXIES
• Adds security headers and disables search indexing
• Implements a CSRF protection based on the origin header
• Fixes the Justfile not working on Windows

[Copilot]

Pull request overview

This PR introduces additional runtime configuration and security hardening for the Gin-based Hub server, while also preventing search indexing and improving Windows compatibility for backend build tooling.

Changes:

• Add new Hub config options (APP_URL, HOST, TRUSTED_PROXIES) and wire them into server startup.
• Add security-related middleware (security headers + Origin-based CSRF protection).
• Disable search indexing (robots + headers) and update the backend Justfile for Windows support.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
frontend/public/robots.txt	Blocks crawlers via Disallow (and adds a nonstandard Noindex directive).
backend/internal/hub/url.go	Adds APP_URL parsing/validation used for Origin checks.
backend/internal/hub/server.go	Extends Hub config and applies trusted proxies + new security middleware.
backend/internal/hub/middleware/security.go	Adds common security headers (CSP, clickjacking protection, etc.).
backend/internal/hub/middleware/csrf.go	Adds Origin validation middleware for non-safe HTTP methods.
backend/cmd/hub/main.go	Updates CLI to handle DefaultConfig() errors.
backend/Justfile	Adds Windows shell support and refactors env var handling for CGO.
.gitignore	Ignores a local Claude settings file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.