fix(安全): 关闭白名单时保留最小校验与默认白名单

实现 allow_insecure_http 并在关闭校验时执行最小格式验证
- 关闭 allowlist 时要求 URL 可解析且 scheme 合规
- 响应头过滤关闭时使用默认白名单策略
- 更新相关文档、示例与测试覆盖

deploy/config.example.yaml

@@ -56,8 +56,10 @@ security:
     crs_hosts: []
     # Allow localhost/private IPs for upstream/pricing/CRS (use only in trusted networks)
     allow_private_hosts: false
+    # Allow http:// URLs when allowlist is disabled (default: false, require https)
+    allow_insecure_http: false
   response_headers:
-    # Enable response header filtering (disable to pass through upstream headers)
+    # Enable configurable response header filtering (disable to use default allowlist)
     enabled: false
     # Extra allowed response headers from upstream
     additional_allowed: []