What CSP, HSTS, and related HTTP headers do—and why browser-based header checks are limited without a server-side scanner.