feat: add standard proxy headers with backward compatibility

Add X-Real-IP, X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers to all proxy hosts for proper client IP detection, HTTPS enforcement, and logging.

- New feature flag: enable_standard_headers (default: true for new hosts, false for existing)
- UI: Checkbox in proxy host form and bulk apply modal for easy migration
- Security: Always configure trusted_proxies when headers enabled
- Backward compatible: Existing hosts preserve legacy behavior until explicitly enabled

BREAKING CHANGE: New proxy hosts will have standard headers enabled by default. Existing hosts maintain legacy behavior. Users can opt-in via UI.

Backend: 98.7% coverage, 8 new tests
Frontend: 87.7% coverage, full TypeScript support
Docs: Comprehensive migration guide and troubleshooting

Closes #<issue-number> (FileFlows WebSocket fix)

frontend/src/utils/proxyHostsHelpers.ts

@@ -14,6 +14,8 @@ export function formatSettingLabel(key: string) {
       return 'Block Exploits'
     case 'websocket_support':
       return 'Websockets Support'
+    case 'enable_standard_headers':
+      return 'Standard Proxy Headers'
     default:
       return key
   }
@@ -33,6 +35,8 @@ export function settingHelpText(key: string) {
       return 'Add common exploit-mitigation headers and rules.'
     case 'websocket_support':
       return 'Enable websocket proxying support.'
+    case 'enable_standard_headers':
+      return 'Add X-Real-IP and X-Forwarded-* headers for client IP detection.'
     default:
       return ''
   }
@@ -52,6 +56,8 @@ export function settingKeyToField(key: string) {
       return 'block_exploits'
     case 'websocket_support':
       return 'websocket_support'
+    case 'enable_standard_headers':
+      return 'enable_standard_headers'
     default:
       return key
   }