security: add security headers and remove credential logging

nginx.conf:
- Add Content-Security-Policy header
- Add HSTS header (commented, enable in production)
- Add Referrer-Policy and Permissions-Policy headers

accounts.py:
- Remove debug logging that could expose credentials
- Simplify error handling in token endpoint

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: Clément VALENTIN

apps/api/src/routers/accounts.py

@@ -225,10 +225,6 @@ async def get_token(
 
     Accepts credentials either in form data or in Authorization header (Basic Auth).
     """
-    logger.debug(f"[TOKEN] Received request - Content-Type: {request.headers.get('content-type')}")
-    logger.debug(f"[TOKEN] Authorization header: {request.headers.get('authorization', 'None')[:50] if request.headers.get('authorization') else 'None'}")
-    logger.debug(f"[TOKEN] Form client_id: {client_id}, client_secret: {'***' if client_secret else None}")
-
     # Try to get credentials from Authorization header (Basic Auth)
     if not client_id or not client_secret:
         auth_header = request.headers.get('authorization')
@@ -238,28 +234,24 @@ async def get_token(
                 encoded = auth_header.split(' ')[1]
                 decoded = base64.b64decode(encoded).decode('utf-8')
                 client_id, client_secret = decoded.split(':', 1)
-                logger.debug(f"[TOKEN] From Basic Auth - client_id: {client_id}, client_secret: ***")
-            except Exception as e:
-                logger.error(f"[TOKEN] Failed to parse Basic Auth: {e}")
+            except Exception:
+                pass  # Invalid Basic Auth format, will try form data next
 
     # If still not found, try form data
     if not client_id or not client_secret:
         try:
             form_data = await request.form()
-            logger.debug(f"[TOKEN] Form data keys: {list(form_data.keys())}")
             client_id_form = form_data.get('client_id')
             client_secret_form = form_data.get('client_secret')
             # Only use if it's a string (not UploadFile)
             if isinstance(client_id_form, str):
                 client_id = client_id_form or client_id
             if isinstance(client_secret_form, str):
                 client_secret = client_secret_form or client_secret
-            logger.debug(f"[TOKEN] After form parse - client_id: {client_id}, client_secret: {'***' if client_secret else None}")
-        except Exception as e:
-            logger.error(f"[TOKEN] Failed to parse form: {e}")
+        except Exception:
+            pass  # Form parsing failed, credentials may still be from Basic Auth
 
     if not client_id or not client_secret:
-        logger.debug(f"[TOKEN] Missing credentials - client_id: {client_id}, client_secret: {'***' if client_secret else None}")
         raise HTTPException(status_code=422, detail="client_id and client_secret are required (provide in form data or Basic Auth header)")
 
     # Find user by client_id

apps/web/nginx.conf

@@ -26,4 +26,14 @@ server {
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+    # HSTS - Force HTTPS for 1 year (enable in production behind HTTPS proxy)
+    # Uncomment when served over HTTPS:
+    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    # Content Security Policy
+    # Allows inline styles (Tailwind), scripts from self, and API connections
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://logo.clearbit.com; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
 }