Add CSP, file upload, open redirect, clickjacking patterns

Complete security patterns collection (23 total):
- csp.md: nonces, hashes, strict-dynamic, reporting
- file-upload.md: content validation, path traversal, malware scanning
- open-redirect.md: URL validation, OAuth redirect URI, bypass techniques
- clickjacking.md: X-Frame-Options, frame-ancestors CSP

Comprehensive coverage for web application security review.

README.md

@@ -29,18 +29,37 @@ Based on OWASP Top 10:2025 and recent security research.
 | [jwt-security.md](jwt-security.md) | Algorithm confusion, weak secrets, expiration | A07 |
 | [session-management.md](session-management.md) | Session fixation, hijacking, secure cookies | A07 |
 
-### Attack Prevention
+### Injection & Request Attacks
 
 | File | Topic | OWASP 2025 |
 |------|-------|------------|
 | [injection-prevention.md](injection-prevention.md) | SQL, command, template, path traversal | A05 |
 | [ssrf.md](ssrf.md) | Server-side request forgery, metadata endpoints | A10 |
 | [xxe.md](xxe.md) | XML external entities, DTD attacks | A05 |
-| [dos-prevention.md](dos-prevention.md) | Rate limiting, resource bounds, algorithmic complexity | — |
-| [prompt-injection.md](prompt-injection.md) | LLM security, data/instruction separation | — |
 | [deserialization.md](deserialization.md) | Untrusted data deserialization, pickle, yaml | A08 |
-| [race-conditions.md](race-conditions.md) | TOCTOU, atomic check-and-act, database locks | — |
+| [open-redirect.md](open-redirect.md) | URL validation, OAuth redirect URI | A01 |
+
+### Client-Side Security
+
+| File | Topic | OWASP 2025 |
+|------|-------|------------|
+| [csp.md](csp.md) | Content Security Policy, nonces, hashes | A05 |
 | [cors.md](cors.md) | Origin validation, credential handling | A01 |
+| [clickjacking.md](clickjacking.md) | X-Frame-Options, frame-ancestors | A01 |
+
+### Application Logic
+
+| File | Topic | OWASP 2025 |
+|------|-------|------------|
+| [race-conditions.md](race-conditions.md) | TOCTOU, atomic check-and-act, database locks | — |
+| [dos-prevention.md](dos-prevention.md) | Rate limiting, resource bounds, algorithmic complexity | — |
+| [file-upload.md](file-upload.md) | Content validation, safe storage, malware scanning | A04 |
+
+### AI/LLM Security
+
+| File | Topic | OWASP 2025 |
+|------|-------|------------|
+| [prompt-injection.md](prompt-injection.md) | LLM security, data/instruction separation | — |
 
 ### Infrastructure
 
@@ -51,18 +70,18 @@ Based on OWASP Top 10:2025 and recent security research.
 
 ## OWASP Top 10:2025 Coverage
 
-| # | Category | Pattern |
-|---|----------|---------|
-| A01 | Broken Access Control | authorization.md, cors.md |
-| A02 | Security Misconfiguration | secure-defaults.md |
-| A03 | Software Supply Chain Failures | supply-chain.md |
-| A04 | Cryptographic Failures | cryptography.md |
-| A05 | Injection | injection-prevention.md, xxe.md |
-| A06 | Insecure Design | secure-defaults.md |
-| A07 | Authentication Failures | authentication.md, jwt-security.md, session-management.md |
-| A08 | Software or Data Integrity Failures | deserialization.md |
-| A09 | Security Logging and Alerting Failures | audit-logging.md |
-| A10 | Mishandling of Exceptional Conditions | error-handling.md, ssrf.md |
+| # | Category | Patterns |
+|---|----------|----------|
+| A01 | Broken Access Control | authorization, cors, clickjacking, open-redirect |
+| A02 | Security Misconfiguration | secure-defaults |
+| A03 | Software Supply Chain Failures | supply-chain |
+| A04 | Cryptographic Failures | cryptography, file-upload |
+| A05 | Injection | injection-prevention, xxe, csp |
+| A06 | Insecure Design | secure-defaults |
+| A07 | Authentication Failures | authentication, jwt-security, session-management |
+| A08 | Software or Data Integrity Failures | deserialization |
+| A09 | Security Logging and Alerting Failures | audit-logging |
+| A10 | Mishandling of Exceptional Conditions | error-handling, ssrf |
 
 ## Sources