docs: explain helmet() middleware with inline comments across all services

[Copilot]

helmet() was either completely uncommented or had a terse, typo'd note (// secure app from xss attackss), leaving its purpose unclear to contributors.

Changes

• user-service/src/app.js and posts-service/src/app.js: Added explanatory comment (was entirely absent)
• chat-service/src/App.ts: Replaced inaccurate/typo'd comment with the same consistent explanation

All three services now carry:

// helmet() sets security-related HTTP response headers to protect the app from common
// web vulnerabilities. It configures: Content-Security-Policy (blocks malicious scripts),
// X-Frame-Options (prevents clickjacking), X-Content-Type-Options (blocks MIME sniffing),
// Strict-Transport-Security (enforces HTTPS), Referrer-Policy, and more.
app.use(helmet());

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.