Harden admin security controls

api/upload.php

@@ -1,9 +1,10 @@
 <?php
 require_once 'config.php';
 require_once __DIR__ . '/error_config.php';
-session_start();
+start_secure_session();
 set_json_headers();
 require_auth();
+require_csrf();
 
 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
     json_response(['error' => 'POST만 허용됩니다'], 405);
@@ -225,5 +226,10 @@ if ($saved) {
     ]);
 } else {
     $err = error_get_last();
-    json_response(['error' => '파일 저장 실패', 'detail' => $err, 'target' => $target_path, 'tmp' => $file['tmp_name'], 'tmp_exists' => file_exists($file['tmp_name'])], 500);
+    error_log('Upload save failed: ' . json_encode([
+        'detail' => $err,
+        'target' => $target_path,
+        'tmp_exists' => file_exists($file['tmp_name'])
+    ], JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE));
+    json_response(['error' => '파일 저장 실패'], 500);
 }