added bookmark auth, CSP, per-session CSRF

- Bookmark endpoint now requires a secret token (stored in settings)
- Style reset moved from GET to POST with CSRF protection
- Open redirect prevention in _redirect() helper
- Import capped at 100 URLs to prevent abuse
- page_tags cleaned up on delete + PRAGMA foreign_keys enabled
- CSP, X-Frame-Options, X-Content-Type-Options on all responses
- CSRF tokens now per-session via double-submit cookie pattern
- Tag names URL-decoded for special characters
- Gateway forwards cookies in request data

db.py

@@ -56,6 +56,7 @@ def clean_url(url):
 
 def get_db():
     db = sqlite3.connect(DATABASE)
+    db.execute("PRAGMA foreign_keys = ON")
     db.row_factory = sqlite3.Row
     return db