fix(csp): allow secure.helcim.app for HelcimPay.js

The HelcimPay modal loads from secure.helcim.app, but the CSP only
listed myposjs.helcim.com (script/connect) and secure.helcim.com
(frame, likely a stale typo). Add secure.helcim.app to script-src,
connect-src, and frame-src so the join flow's payment modal can load.

server/middleware/02.security-headers.js

@@ -17,12 +17,12 @@ export default defineEventHandler((event) => {
     if (!path.startsWith('/oidc/')) {
       headers['Content-Security-Policy'] = [
         "default-src 'self'",
-        "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://secure.helcim.app https://plausible.io",
         "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
         "img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
         "font-src 'self' https://fonts.gstatic.com",
-        "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
-        "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
+        "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://secure.helcim.app https://plausible.io",
+        "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.app",
         "base-uri 'self'",
         "form-action 'self'",
       ].join('; ')

tests/server/middleware/security-headers.test.js

@@ -86,7 +86,7 @@ describe('security-headers middleware', () => {
       const csp = event._testSetHeaders['content-security-policy']
       expect(csp).toContain('myposjs.helcim.com')
       expect(csp).toContain('api.helcim.com')
-      expect(csp).toContain('secure.helcim.com')
+      expect(csp).toContain('secure.helcim.app')
     })
 
     it('includes Cloudinary sources in CSP', () => {