Harden backend security: IDOR fix, error sanitization, rate limiter fallback, security headers

- Fix task status IDOR by adding ownership check; suppress traceback/error in production
- Passkey routes: return generic error messages for internal exceptions, keep ValueError for user-facing
- JWT_SECRET and OIDC_CLIENT_ID: raise RuntimeError in production when using defaults
- Rate limiter: add in-memory fallback counter when Redis is unavailable
- Fix X-Forwarded-For IP spoofing with trusted_proxy_depth (rightmost-N selection)
- Add SecurityHeadersMiddleware (X-Content-Type-Options, X-Frame-Options, CSP, conditional HSTS)
- CORS: add PUT/DELETE methods for POI routes
- POI input validation: field length and coordinate range constraints
- QueryParameters: add min_sqm <= max_sqm validation

models/listing.py

@@ -248,4 +248,12 @@ class QueryParameters(BaseModel):
             raise ValueError(
                 f"min_price_per_sqm ({self.min_price_per_sqm}) must be <= max_price_per_sqm ({self.max_price_per_sqm})"
             )
+        if (
+            self.min_sqm is not None
+            and self.max_sqm is not None
+            and self.min_sqm > self.max_sqm
+        ):
+            raise ValueError(
+                f"min_sqm ({self.min_sqm}) must be <= max_sqm ({self.max_sqm})"
+            )
         return self