Harden security headers and tune rate limiter

[robertocarlous]

Body:

helmet is present but needs definite production configuration. Ensure trust proxy is configured behind proxies, set strict security header policies, and tune rate limits per sensitive routes.

Acceptance Criteria:

• helmet is configured with strict defaults for production.
• trust proxy is documented and configurable.
• Rate limits are applied to public endpoints and documented.

[Yormee-103]

hello maintainer i would like to work in this issue

[grantfox-oss]

🦊 GrantFox — @Yormee-103 has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #150)
2. Your PR will be reviewed by the Neurowealth maintainers

Good luck! Track your progress on GrantFox.

[grantfox-oss]

🎉 This issue has been marked as completed on GrantFox as part of the Official Campaign campaign!

@Yormee-103's PR #154 was approved and merged by @robertocarlous.

🏆 @Yormee-103: You earned 35 FoxPoints for this contribution! Your current tier: Explorer (48 total points). Track your full progress on GrantFox.

👏 Great work, @Yormee-103! Keep contributing to Neurowealth.