This change adds a centralized after_request middleware that now sets CSP, HSTS, frame/MIME protections, permissions policy, and cross-origin isolation headers, while also stripping the Server header. It also applies context-aware cache rules so login, cart, checkout, and admin endpoints are not cached, while static assets get long-lived immutable caching, and CDN assets in the base template now include SRI hashes. The commit includes a verification guide documenting expected headers, deployment checks, and known platform limits, making the hardening easier to validate in production. Practical effect: safer defaults for every response with better protection against XSS, clickjacking, information leakage, and accidental caching of sensitive pages.