## ADDED Requirements

### Requirement: Security response headers
The Next.js application SHALL add security response headers to all routes via the `headers()` function in `next.config.js`. The following headers SHALL be set:
- `X-Frame-Options: DENY`
- `X-Content-Type-Options: nosniff`
- `Referrer-Policy: strict-origin-when-cross-origin`
- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
- `Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob:`

#### Scenario: Headers present on HTML response
- **WHEN** a browser requests any page
- **THEN** the response includes all five security headers

#### Scenario: Headers present on API response
- **WHEN** a client requests any `/api/*` endpoint
- **THEN** the response includes all five security headers

#### Scenario: Clickjacking prevented
- **WHEN** a third-party site attempts to embed the application in an iframe
- **THEN** the browser blocks the embedding due to `X-Frame-Options: DENY`