Function security_headers_middleware 

pub async fn security_headers_middleware(
    req: Request<Body>,
    next: Next,
) -> impl IntoResponse

Axum middleware that sets security response headers on every dev API response.

Headers applied:

• X-Content-Type-Options: nosniff — prevents MIME sniffing
• Cache-Control: no-store — prevents caching of sensitive diagnostics
• X-Frame-Options: DENY — prevents clickjacking via iframe embedding

Also rejects CORS preflight (OPTIONS) requests with 403 Forbidden. The dev API is localhost-only and must not be accessible cross-origin.