Use POST for destructive actions & mobile UI tweaks

Require POST and CSRF verification for destructive endpoints (profile delete, notification delete, clear-all) and update routes accordingly. Replace GET-based delete links with POST forms (including csrf_field()) and add hidden form submission for "clear all" and account deletion via JS. Add server-side request method checks and verifyCsrf() calls in NotificationController and ProfileController. Improve mobile UX: add sidebar overlay, open/close controls (including swipe-to-close), close button, prevent body scroll when sidebar open, responsive search placeholder and adjusted search/top-nav styling, and minor layout tweaks (truncate app name, adjust notification dropdown width). Also minor whitespace/formatting cleanups.

app/Controllers/NotificationController.php

@@ -110,6 +110,15 @@ class NotificationController extends Controller
      */
     public function delete($params = [])
     {
+        // Ensure POST method
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+            $this->redirect('/notifications');
+            return;
+        }
+
+        // CSRF Protection
+        $this->verifyCsrf('/notifications');
+
         $userId = Auth::id();
         $notificationId = (int)($params['id'] ?? 0);
         
@@ -129,6 +138,15 @@ class NotificationController extends Controller
      */
     public function clearAll()
     {
+        // Ensure POST method
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+            $this->redirect('/notifications');
+            return;
+        }
+
+        // CSRF Protection
+        $this->verifyCsrf('/notifications');
+
         $userId = Auth::id();
         $this->notificationModel->clearAll($userId);
         $_SESSION['success'] = 'All notifications cleared';