Add receipt preview lightbox with carousel navigation

- Add receiptPreview.js component with keyboard/swipe navigation
- Add receipt-preview.css with lightbox modal styling
- Add receipt indicator icon on expense rows (clickable to preview)
- Fix X-Frame-Options to allow PDF iframe embedding
- Exempt receipt serving from rate limiting
- Remove preview button from modals (click thumbnail instead)
- Move Export & Backup card, remove HSA Balance from settings

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: JavaDogWebDesign

app/app.py

@@ -1,5 +1,5 @@
 """HSA/FSA Expense & Reimbursement Tracker - Main Application"""
-from flask import Flask, session, jsonify, render_template
+from flask import Flask, session, jsonify, render_template, request
 import os
 import secrets
 import logging
@@ -163,6 +163,8 @@ def inject_user_preferences():
 if limiter:
     limiter.limit("5 per minute")(app.view_functions['auth.login'])
     limiter.limit("3 per hour")(app.view_functions['auth.register'])
+    # Exempt receipt serving from rate limits (PDFs trigger many requests for page rendering)
+    limiter.exempt(app.view_functions['attachments.serve_receipt'])
 
 # ============================================================================
 # Error Handlers - Custom error pages for production
@@ -191,9 +193,15 @@ def forbidden_error(error):
 def set_security_headers(response):
     """Add security headers to all responses"""
     response.headers['X-Content-Type-Options'] = 'nosniff'
-    response.headers['X-Frame-Options'] = 'DENY'
     response.headers['X-XSS-Protection'] = '1; mode=block'
 
+    # Allow same-origin framing for receipt files (needed for PDF preview)
+    # Use SAMEORIGIN for /receipts/ paths, DENY for everything else
+    if request.path.startswith('/receipts/'):
+        response.headers['X-Frame-Options'] = 'SAMEORIGIN'
+    else:
+        response.headers['X-Frame-Options'] = 'DENY'
+
     # Only set HSTS in production
     if os.environ.get('FLASK_ENV') == 'production':
         response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'