security: implement pentest remediation (PROXY-001, BURN-001, RATE-001)

PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production
- validate_security_config() checks for missing proxy secret
- Additional warning when PKI enabled without proxy secret
- Tests for security configuration validation

BURN-001: HEAD requests now trigger burn-after-read deletion
- Prevents attacker from probing paste existence before retrieval
- Updated test to verify new behavior

RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage
- Default 10000 unique IPs tracked
- Prunes oldest entries when limit exceeded
- Protects against memory exhaustion DoS

Test count: 284 -> 291 (7 new security tests)

app/config.py

@@ -99,6 +99,8 @@ class Config:
     RATE_LIMIT_MAX = int(os.environ.get("FLASKPASTE_RATE_MAX", "10"))  # requests per window
     # Authenticated users get higher limits (multiplier)
     RATE_LIMIT_AUTH_MULTIPLIER = int(os.environ.get("FLASKPASTE_RATE_AUTH_MULT", "5"))
+    # Maximum unique IPs tracked in rate limit storage (RATE-001: memory DoS protection)
+    RATE_LIMIT_MAX_ENTRIES = int(os.environ.get("FLASKPASTE_RATE_MAX_ENTRIES", "10000"))
 
     # Audit Logging
     # Track security-relevant events (paste creation, deletion, rate limits, etc.)