feat: bypass security for health checks and support HEAD downloads

- Allow the `/health` endpoint to bypass the security middleware, ensuring container health checks succeed even if the proxy IP is banned.
- Add a test to verify health checks from banned IPs.
- Register a HEAD route for file downloads.
- Refactor admin alert status checks to use a new `isUnacknowledgedAlert` helper.
- Update the security runbook documentation with clearer instructions and examples for trusted proxy configuration.

docs/security-runbook.md

@@ -2,26 +2,26 @@
 
 ## Trusted Proxy Setup (Caddy)
 
-Set `WARPBOX_TRUSTED_PROXY_CIDRS` to only the CIDRs of your reverse proxies/load balancers.
+Set `WARPBOX_TRUSTED_PROXY_CIDRS` to only the CIDRs of your reverse proxies/load balancers. Without this, WarpBox intentionally ignores forwarding headers and every request may appear to come from the proxy/container bridge, such as `172.30.0.1`.
 
 Example:
 
 ```bash
-WARPBOX_TRUSTED_PROXY_CIDRS=10.0.0.0/8,192.168.0.0/16
+WARPBOX_TRUSTED_PROXY_CIDRS=172.30.0.1/32
 ```
 
 Caddy example:
 
 ```caddyfile
 :443 {
-  reverse_proxy 127.0.0.1:8080 {
+  reverse_proxy warpbox:8080 {
     header_up X-Forwarded-For {http.request.remote.host}
     header_up X-Real-IP {http.request.remote.host}
   }
 }
 ```
 
-WarpBox will trust `X-Forwarded-For` only if the direct remote IP is inside `WARPBOX_TRUSTED_PROXY_CIDRS`.
+WarpBox will trust `X-Forwarded-For` only if the direct remote IP is inside `WARPBOX_TRUSTED_PROXY_CIDRS`. Prefer the exact proxy IP as a `/32` when it is stable. If Caddy is on a changing Docker/Podman network, use that network's CIDR instead. You can find it with `docker network inspect <network>` or `podman network inspect <network>`.
 
 ## IP Ban Operations