Add security headers middleware and tests; improve user model schema

- Added security headers middleware to enforce best practices (e.g., XSS and clickjacking prevention, CSP, HSTS in production).
- Updated `User` model schema: refined field constraints and switched `preferences` to `JSONB` for PostgreSQL compatibility.
- Introduced tests to validate security headers across endpoints and error responses.
- Ensured headers like `X-Frame-Options`, `X-Content-Type-Options`, and `Permissions-Policy` are correctly configured.

backend/app/models/user.py

@@ -1,4 +1,5 @@
-from sqlalchemy import Column, String, JSON, Boolean
+from sqlalchemy import Column, String, Boolean
+from sqlalchemy.dialects.postgresql import JSONB
 
 from .base import Base, TimestampMixin, UUIDMixin
 
@@ -6,14 +7,14 @@ from .base import Base, TimestampMixin, UUIDMixin
 class User(Base, UUIDMixin, TimestampMixin):
     __tablename__ = 'users'
 
-    email = Column(String, unique=True, nullable=False, index=True)
-    password_hash = Column(String, nullable=False)
-    first_name = Column(String, nullable=False, default="user")
-    last_name = Column(String, nullable=True)
-    phone_number = Column(String)
-    is_active = Column(Boolean, default=True, nullable=False)
-    is_superuser = Column(Boolean, default=False, nullable=False)
-    preferences = Column(JSON)
+    email = Column(String(255), unique=True, nullable=False, index=True)
+    password_hash = Column(String(255), nullable=False)
+    first_name = Column(String(100), nullable=False, default="user")
+    last_name = Column(String(100), nullable=True)
+    phone_number = Column(String(20))
+    is_active = Column(Boolean, default=True, nullable=False, index=True)
+    is_superuser = Column(Boolean, default=False, nullable=False, index=True)
+    preferences = Column(JSONB)
 
     def __repr__(self):
         return f"<User {self.email}>"