fix(安全): 关闭白名单时保留最小校验与默认白名单

实现 allow_insecure_http 并在关闭校验时执行最小格式验证
- 关闭 allowlist 时要求 URL 可解析且 scheme 合规
- 响应头过滤关闭时使用默认白名单策略
- 更新相关文档、示例与测试覆盖

backend/internal/config/config.go

@@ -131,6 +131,8 @@ type URLAllowlistConfig struct {
 	PricingHosts      []string `mapstructure:"pricing_hosts"`
 	CRSHosts          []string `mapstructure:"crs_hosts"`
 	AllowPrivateHosts bool     `mapstructure:"allow_private_hosts"`
+	// 关闭 URL 白名单校验时，是否允许 http URL（默认只允许 https）
+	AllowInsecureHTTP bool     `mapstructure:"allow_insecure_http"`
 }
 
 type ResponseHeaderConfig struct {
@@ -384,10 +386,10 @@ func Load() (*Config, error) {
 	}
 
 	if !cfg.Security.URLAllowlist.Enabled {
-		log.Println("Warning: security.url_allowlist.enabled=false; URL validation is disabled.")
+		log.Println("Warning: security.url_allowlist.enabled=false; allowlist/SSRF checks disabled (minimal format validation only).")
 	}
 	if !cfg.Security.ResponseHeaders.Enabled {
-		log.Println("Warning: security.response_headers.enabled=false; response header filtering is disabled.")
+		log.Println("Warning: security.response_headers.enabled=false; configurable header filtering disabled (default allowlist only).")
 	}
 
 	if cfg.Server.Mode != "release" && cfg.JWT.Secret != "" && isWeakJWTSecret(cfg.JWT.Secret) {
@@ -435,6 +437,7 @@ func setDefaults() {
 	})
 	viper.SetDefault("security.url_allowlist.crs_hosts", []string{})
 	viper.SetDefault("security.url_allowlist.allow_private_hosts", false)
+	viper.SetDefault("security.url_allowlist.allow_insecure_http", false)
 	viper.SetDefault("security.response_headers.enabled", false)
 	viper.SetDefault("security.response_headers.additional_allowed", []string{})
 	viper.SetDefault("security.response_headers.force_remove", []string{})