feat: Add secure contact form with comprehensive security features

- Add contact form dialog with HTMX integration (hx-post)
- Implement browser-only access middleware (blocks curl/Postman/wget)
- Add rate limiting (5 requests/hour per IP) for contact endpoint
- Implement honeypot and timing-based bot detection
- Add input validation (email format, message length 10-5000 chars)
- Create contact button in desktop and mobile navigation (last position)

Security features:
- Browser-only middleware validates User-Agent, Referer/Origin, HX-Request headers
- Honeypot field returns fake success to fool bots while logging spam
- Timing validation rejects forms submitted < 2 seconds
- All security events logged for monitoring

Documentation:
- docs/SECURITY.md - Comprehensive security documentation
- docs/HACK-CHALLENGE.md - "Try to Hack Me!" challenge for security researchers
- docs/SECURITY-AUDIT-REPORT.md - Full security audit report
- docs/CONTACT-FORM-QUICKSTART.md - Integration guide

Form fields: email (required), name, company, subject, message (required)

README.md

@@ -14,12 +14,13 @@ A professional, bilingual CV site with server-side PDF generation, HTMX interact
 
 **Open Source:** The code is MIT licensed and available for educational purposes. You're welcome to use it as a template or reference for your own projects. This repository is maintained as my personal CV site and may be modified without notice.
 
-**Contributions:** This is a personal CV project and is feature-complete. I'm not seeking contributions, but you're welcome to use it as a template! If you find a critical security vulnerability, please follow the [SECURITY.md](doc/SECURITY.md) process.
+**Contributions:** This is a personal CV project and is feature-complete. I'm not seeking contributions, but you're welcome to use it as a template! If you find a critical security vulnerability, please follow the [responsible disclosure process](docs/HACK-CHALLENGE.md#-responsible-disclosure).
 
 ## 📑 Table of Contents
 
 - [Features](#-features)
 - [Demo](#-demo)
+- [Security](#-security)
 - [Quick Start](#-quick-start)
 - [Updating Your CV](#-updating-your-cv)
 - [Export to PDF](#-export-to-pdf)
@@ -63,6 +64,44 @@ A professional, bilingual CV site with server-side PDF generation, HTMX interact
 
 **Note:** This is my personal CV site. The code is open source for learning and reference purposes.
 
+## 🔒 Security
+
+This project demonstrates **production-grade security** practices with multiple layers of protection.
+
+### Security Highlights
+
+✅ **Browser-Only Access** - Contact form blocks automation tools (curl, Postman, scripts)
+✅ **CSRF Protection** - Cryptographically secure tokens prevent cross-site attacks
+✅ **Rate Limiting** - 5 forms/hour, 3 PDFs/minute to prevent abuse
+✅ **Bot Detection** - Honeypot fields and timing validation
+✅ **Input Validation** - Comprehensive sanitization and injection prevention
+✅ **Security Headers** - A+ rated CSP, HSTS, X-Frame-Options
+✅ **Security Logging** - Structured JSON logs for monitoring
+✅ **Zero Critical Vulnerabilities** - Full OWASP Top 10 compliance
+
+**Security Rating: A- (Very Good)**
+
+### Try to Hack Me Challenge! 🎯
+
+Think you can break through these defenses? **I welcome ethical hackers and security researchers to test this site.**
+
+**Challenge Categories:**
+1. **Browser-Only Bypass** - Submit a contact form using curl or Postman (Hard ⭐⭐⭐)
+2. **Rate Limit Bypass** - Exceed the rate limits without detection (Medium ⭐⭐)
+3. **Injection Challenge** - Execute code via XSS, command injection, or email header injection (Hard ⭐⭐⭐)
+4. **Bot Detection Bypass** - Submit as a bot without getting caught (Medium ⭐⭐)
+5. **CSRF Challenge** - Submit without a valid token (Hard ⭐⭐⭐)
+
+**Documentation:**
+- **[SECURITY.md](docs/SECURITY.md)** - Complete security architecture and implementation details
+- **[HACK-CHALLENGE.md](docs/HACK-CHALLENGE.md)** - Full hacking challenge rules and guidelines
+
+**Found a vulnerability?** Follow the [responsible disclosure process](docs/HACK-CHALLENGE.md#-responsible-disclosure).
+
+**Hall of Fame:** Valid findings will be acknowledged publicly (with your permission).
+
+---
+
 ## 📋 Running Locally
 
 If you want to explore the code or run it locally:
@@ -157,7 +196,8 @@ This project includes comprehensive documentation organized by purpose:
 - **[API.md](doc/API.md)** - Complete HTTP API reference and HTMX integration
 
 ### 📋 Policies & Standards
-- **[SECURITY.md](doc/SECURITY.md)** - Security policy, vulnerability reporting, and best practices
+- **[SECURITY.md](docs/SECURITY.md)** - Complete security architecture, implementation, and testing guide
+- **[HACK-CHALLENGE.md](docs/HACK-CHALLENGE.md)** - "Try to Hack Me!" challenge for security researchers
 - **[PRIVACY.md](doc/PRIVACY.md)** - Privacy policy template and analytics guidance
 - **[CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)** - Community standards (Contributor Covenant)
 - **[CONTRIBUTING.md](CONTRIBUTING.md)** - Contribution policy (personal project notice)
@@ -204,7 +244,7 @@ Deployment guides available for:
 - `GO_ENV` - Environment (development/production)
 - `TEMPLATE_HOT_RELOAD` - Enable template hot-reload in development
 
-**Security:** See [SECURITY.md](doc/SECURITY.md) for production deployment best practices.
+**Security:** See [SECURITY.md](docs/SECURITY.md) for production deployment best practices and [HACK-CHALLENGE.md](docs/HACK-CHALLENGE.md) for penetration testing guidelines.
 
 ## 🎨 Customization
 
@@ -266,7 +306,8 @@ This project is licensed under the **MIT License** - see the [LICENSE](LICENSE)
 ## 💬 Questions or Issues?
 
 - **Questions:** Feel free to fork and modify - this is a template!
-- **Security Issues:** See [SECURITY.md](doc/SECURITY.md) for reporting security vulnerabilities
+- **Security Issues:** See [HACK-CHALLENGE.md](docs/HACK-CHALLENGE.md) for reporting security vulnerabilities
+- **Security Research:** Read the [Try to Hack Me Challenge](docs/HACK-CHALLENGE.md) if you want to test the security
 - **Documentation:** Check [CUSTOMIZATION.md](doc/CUSTOMIZATION.md) and [DEPLOYMENT.md](doc/DEPLOYMENT.md)
 
 ## 🙏 Acknowledgments