feat(安全): 强化安全策略与配置校验

- 增加 CORS/CSP/安全响应头与代理信任配置

- 引入 URL 白名单与私网开关，校验上游与价格源

- 改善 API Key 处理与网关错误返回

- 管理端设置隐藏敏感字段并优化前端提示

- 增加计费熔断与相关配置示例

测试: go test ./...

backend/internal/server/api_contract_test.go

@@ -295,13 +295,13 @@ func TestAPIContracts(t *testing.T) {
 					"smtp_host": "smtp.example.com",
 					"smtp_port": 587,
 					"smtp_username": "user",
-					"smtp_password": "secret",
+					"smtp_password_configured": true,
 					"smtp_from_email": "no-reply@example.com",
 					"smtp_from_name": "Sub2API",
 					"smtp_use_tls": true,
 					"turnstile_enabled": true,
 					"turnstile_site_key": "site-key",
-					"turnstile_secret_key": "secret-key",
+					"turnstile_secret_key_configured": true,
 					"site_name": "Sub2API",
 					"site_logo": "",
 					"site_subtitle": "Subtitle",