fix/api-server-cors-vary-origin (base: upstream/main)

[aydnOktay]

This PR adds a small but effective security hardening to the OpenAI-compatible API server by setting the X-Content-Type-Options: nosniff header on all responses via middleware, preventing MIME sniffing in browsers and improving overall safety for web-based clients; it also includes a regression test to ensure the header is consistently present.

[aydnOktay]

heyy sir check pls my prs @teknium1

[teknium1]

Thanks for this contribution, @aydnOktay! The security header hardening from this PR was already salvaged and merged into main.

---

This is an automated hermes-sweeper review.

• The X-Content-Type-Options: nosniff header (plus Referrer-Policy: no-referrer) is live in gateway/platforms/api_server.py lines 449–463 via a dedicated security_headers_middleware.
• It was merged as PR feat(api-server): add basic security headers #3576 on 2026-03-28 in commit df1bf0a20, with you listed as co-author.
• A regression test (test_security_headers_present) was included in tests/gateway/test_api_server.py.
• The fix shipped in release v2026.3.30.

Closing this PR as the work is fully implemented on main.