This commit adds an OWASP ZAP remediation plan and, more importantly, records a critical operational finding: the app already contains security header and cookie hardening changes, but production is still serving without them because those changes have not reached main and been deployed. The document captures evidence from the scan, identifies deployment as the immediate blocker, and breaks the remaining findings into prioritized follow-up PRs for SRI, cache control, input validation, and cleanup. The practical effect is a much clearer path to getting production back to the expected security baseline before tackling lower-priority issues.