docs: document X-Forwarded-For trust requirement for self-hosted deployments

[peg]

Problem

The self-hosted server trusts X-Forwarded-For headers without verification. If deployed directly on a public interface (not behind a reverse proxy), attackers can spoof their source IP in canary alerts.

Fix

This is a deployment concern, not a code bug. Add a prominent warning to the self-hosting docs:

Important: Only expose the Snare server behind a reverse proxy you control (nginx, Caddy, Cloudflare Tunnel, etc.). Never bind directly to a public interface. The server trusts X-Forwarded-For headers, which can be spoofed if not set by a trusted upstream.

A future improvement would be a TRUSTED_PROXIES config option that only reads X-Forwarded-For from known CIDR ranges.

Affected files

• internal/serve/serve.go
• Self-hosting docs (docs.snare.sh)

[peg]

Added to self-hosting docs as a prominent deployment warning. See snare-docs PR for details.