Fix security vulnerabilities across backend, frontend, and infra

- Fix auth bypass in UpdatePost/DeletePost (missing return after auth check)
- Remove Spotify access token from callback response
- Replace internal error messages with generic responses in all handlers
- Harden GraphQL: complexity limit, disable playground/introspection in prod
- Add security headers (X-Frame-Options, HSTS, etc.) to nginx
- Disable Hasura console/dev mode in production
- Add DOMPurify sanitization to Markdown component
- Fix cookie removal to use correct domain/path from auth config
- Fix nil dereference in rowing handler when Claude API errors
- Fix wildcard CORS on stamp endpoint
- Pin nginx and certbot Docker image versions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/handlers/handle_favorites.go

@@ -1,6 +1,7 @@
 package handlers
 
 import (
+	"log"
 	"net/http"
 
 	"adam-french.co.uk/backend/models"
@@ -16,7 +17,8 @@ type CreateFavoriteInput struct {
 func (store *Store) GetFavorites(ctx *gin.Context) {
 	var favorites []models.Favorite
 	if err := store.DB.Order("Created_At DESC").Find(&favorites).Error; err != nil {
-		ctx.JSON(http.StatusInternalServerError, err.Error())
+		log.Println(err)
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal error"})
 		return
 	}
 	ctx.JSON(http.StatusOK, favorites)
@@ -25,14 +27,15 @@ func (store *Store) GetFavorites(ctx *gin.Context) {
 func (store *Store) CreateFavorite(ctx *gin.Context) {
 	var input CreateFavoriteInput
 	if err := ctx.ShouldBindBodyWithJSON(&input); err != nil {
-		ctx.JSON(http.StatusBadRequest, err.Error())
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
 		return
 	}
 
 	favorite := models.Favorite{Type: input.Type, Name: input.Name, Link: input.Link}
 	tx := store.DB.Create(&favorite)
 	if tx.Error != nil {
-		ctx.JSON(http.StatusInternalServerError, tx.Error.Error())
+		log.Println(tx.Error)
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal error"})
 		return
 	}