Improve security even with authentication disabled

[de-code]

Is your feature request related to a problem? Please describe.
Authentication creates friction for local development and as pointed out in #677 it appears to be often disabled.
There appear to be ways to improve security even without authentication.
The current endpoints of the proxy server already do not follow best practise due as GET requests shouldn't have side effects.
Those security improvements could potentially be valuable even with authentication enabled.

Describe the solution you'd like
A solution that prevents browser based attacks even without explicit authentication.
GET requests to not have side effects.

Recommended changes:

• Change all unsafe endpoints to POST (or similar), e.g. /stdio, /sse etc
• For all unsafe endpoints, require sec-fetch-site to be same-site

Describe alternatives you've considered

• A fixed authentication token to at least allow bookmarking.
• Authentication token stored in cookie
• Disabling stdio support
• Requiring origin for all unsafe endpoints (currently ignored if there is no origin)

Additional context
The main attack vector that triggered authentication was from a browser.
Protecting against other processes on the same machine may be valuable but may already be too late.

The attack described in cve-2025-49596 was using http://0.0.0.0:6277/sse?transportType=stdio&command=touch&args=%2Ftmp%2Fexploited-from-the-browser as the URL (the same works with /stdio). With the mode set to no-cors, the browser would not check CORS but also not provide a response. Modern browsers would then set the sec-fetch-site to no-cors. The method could also be POST (which is why checking sec-fetch-site is necessary).

Note: I am not a security expert

[JLLeitschuh]

You don't need a response in the browser if you've already dropped a reverse shell, or malware 😂