fix: restringir cabeceras a HTML y robustecer proxy; quitar checkOrigin

Co-authored-by: aider (openrouter/openai/gpt-5) <aider@aider.chat>

apps/web/src/hooks.server.ts

@@ -70,11 +70,15 @@ export const handle: Handle = async ({ event, resolve }) => {
 
 	const response = await resolve(event);
 
-	// Cabeceras de seguridad básicas
+	// Cabeceras de seguridad y caché: solo para HTML
 	try {
-		response.headers.set('X-Frame-Options', 'DENY');
-		response.headers.set('Referrer-Policy', 'no-referrer');
-		response.headers.set('X-Content-Type-Options', 'nosniff');
+		const ct = response.headers.get('content-type') || '';
+		if (ct.includes('text/html')) {
+			response.headers.set('cache-control', 'no-store');
+			response.headers.set('X-Frame-Options', 'DENY');
+			response.headers.set('Referrer-Policy', 'no-referrer');
+			response.headers.set('X-Content-Type-Options', 'nosniff');
+		}
 	} catch {
 		// Ignorar si la implementación de Response no permite set()
 	}

apps/web/svelte.config.js

@@ -13,7 +13,6 @@ const config = {
 		// See https://svelte.dev/docs/kit/adapters for more information about adapters.
 		adapter: adapter(),
 		csrf: {
-			checkOrigin: false,
 			trustedOrigins: ['*']
 		}
 	}

proxy.ts

@@ -48,8 +48,13 @@ Bun.serve({
       try {
         console.log(`[proxy] ${req.method} ${url.pathname}${url.search} -> ${routeToBot ? 'bot' : 'web'} ${res.status} (${ms}ms)`);
       } catch {}
-      // Devuelve la respuesta tal cual (incluye Set-Cookie, Location, etc.)
-      return res;
+      // Devuelve la respuesta (incluye Set-Cookie, Location, etc.), asegurando Content-Type en assets por si faltase
+      const passthroughHeaders = new Headers(res.headers);
+      if (!passthroughHeaders.get('content-type')) {
+        if (url.pathname.endsWith('.js')) passthroughHeaders.set('content-type', 'application/javascript; charset=utf-8');
+        if (url.pathname.endsWith('.css')) passthroughHeaders.set('content-type', 'text/css; charset=utf-8');
+      }
+      return new Response(res.body, { status: res.status, headers: passthroughHeaders });
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       console.error(`[proxy] ${req.method} ${url.pathname}${url.search} -> ERROR: ${msg}`);