Skip CSP on OIDC routes to fix logout form submission

The oidc-provider generates form actions with http:// URLs that
conflict with the CSP form-action directive. OIDC routes serve
self-contained HTML outside Nuxt, so CSP is not needed there.

server/middleware/02.security-headers.js

@@ -1,4 +1,6 @@
 export default defineEventHandler((event) => {
+  const path = getRequestURL(event).pathname
+
   const headers = {
     'X-Content-Type-Options': 'nosniff',
     'X-Frame-Options': 'DENY',
@@ -10,7 +12,9 @@ export default defineEventHandler((event) => {
   if (process.env.NODE_ENV === 'production') {
     headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
 
-    // CSP: allow self, Cloudinary images, HelcimPay.js, Plausible analytics
+    // Skip CSP for OIDC routes — they serve self-contained HTML
+    // rendered by oidc-provider with its own form actions
+    if (!path.startsWith('/oidc/')) {
       headers['Content-Security-Policy'] = [
         "default-src 'self'",
         "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
@@ -23,6 +27,7 @@ export default defineEventHandler((event) => {
         "form-action 'self'",
       ].join('; ')
     }
+  }
 
   for (const [key, value] of Object.entries(headers)) {
     setHeader(event, key, value)