fix(scan): prevent SSRF by blocking internal IP ranges

[russo2100]

Description:

### 🚀 Overview
Addresses a critical Server-Side Request Forgery (SSRF) vulnerability in the `POST /api/scan` endpoint.

### 🛡️ Security Fixes
The `fetch` call correctly follows redirects (`redirect: "follow"`) but previously lacked restrictions on private/internal IP ranges, meaning it

could be manipulated to scan internal services (e.g., local PostgreSQL at 127.0.0.1:5432, AWS metadata at 169.254.169.254, or internal network
hosts).

- ✅ Introduced an `isPrivateIP` validation guard that checks the resolved DNS record or explicit IP of the provided URL.
- ✅ Explicitly blocks `127.0.x.x`, `10.x.x.x`, `172.16-31.x.x`, `192.168.x.x`, `169.254.x.x`, and loopback IPv6 addresses.
- ✅ The scan will now properly return a `400 Bad Request` if internal routing is attempted.

*This check ensures `security.txt` and `robots.txt` resolution via `checkExists` is also fundamentally protected since the parent origin is blocked

early.*
──────