fix: add session auth to SearXNG web search proxy (FINAL-02)
Security audit findings — zero critical/high issues:
- Fixed: SearXNG API proxy was missing session cookie check
- Verified: RPC endpoints use session auth + CSRF tokens + rate limiting
- Verified: Cookies use HttpOnly + SameSite=Strict + Secure (prod)
- Verified: Secrets encrypted with AES-256-GCM, 0600 permissions
- Verified: Container isolation with capability dropping, readonly root
- Verified: Nginx has security headers (CSP, X-Frame-Options, etc.)
- Verified: CORS validates against allowlist (no wildcard)
- Low findings documented: legacy plaintext secret fallback, v-html for TOTP QR
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fc57570a0e