Backend/frontend hardening & consistency cleanups (#1113)

* refactor(auth): session token validation and password-change consistency

* refactor(journey): entry field allow-list and public share-link consistency

* refactor(mcp): align tool authorization with the REST permission checks

* chore: input validation and sanitisation touch-ups (uploads, pdf, maps, backup, csp)

server/src/middleware/globalMiddleware.ts

@@ -107,6 +107,9 @@ export function applyGlobalMiddleware(
         objectSrc: ["'none'"],
         frameSrc: ["'none'"],
         frameAncestors: ["'self'"],
+        // Restrict <form> submission targets (form-action has no default-src
+        // fallback, so it must be set explicitly).
+        formAction: ["'self'"],
         upgradeInsecureRequests: shouldForceHttps ? [] : null
       }
     },