Provide a configurable option in the Rewst App Platform to control anti-clickjacking HTTP response headers for hosted application pages.

Currently, App Platform pages served from *.rew.st can be embedded in an iframe because response headers such as X-Frame-Options and Content-Security-Policy are not enforced or configurable. This exposes client-facing pages to clickjacking risk.

As these headers must be set by the origin server, customers cannot remediate this finding at the application or page level.

Ideally,introduce a configurable setting at the App Platform or application level to control framing behaviour would be ideal, for example:

- Enable/disable framing entirely

- Allow framing only from same origin

- Allow framing from a defined allow-list of trusted domains