Underground FX Radio – hardening follow-up

This pass adds:
- forced password hashing on admin user save
- CSRF protection on public contact, requests, and join forms
- applications upload folder protection
- SVG removed from auto-scanned chat media to reduce XSS risk
- smarter admin index redirect
- safer logout session cleanup

Still recommended later:
- rate limiting for public forms and chat posting
- CAPTCHA or honeypot on public forms if spam appears
- periodic review of admin action logs
- HTTPS-only deployment before public launch