Fix security vulnerabilities across backend, frontend, and infra

- Fix auth bypass in UpdatePost/DeletePost (missing return after auth check)
- Remove Spotify access token from callback response
- Replace internal error messages with generic responses in all handlers
- Harden GraphQL: complexity limit, disable playground/introspection in prod
- Add security headers (X-Frame-Options, HSTS, etc.) to nginx
- Disable Hasura console/dev mode in production
- Add DOMPurify sanitization to Markdown component
- Fix cookie removal to use correct domain/path from auth config
- Fix nil dereference in rowing handler when Claude API errors
- Fix wildcard CORS on stamp endpoint
- Pin nginx and certbot Docker image versions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

nginx/Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:latest
+FROM nginx:1.27
 RUN rm -rf /etc/nginx/html/* && \
     apt-get update && apt-get install -y gettext-base openssl && \
     rm -rf /var/lib/apt/lists/*