Security hardening + new tools deployment

- Hide Apache version (ServerTokens Prod)
- Add Permissions-Policy header
- Remove deprecated X-XSS-Protection
- Consolidate security headers to .htaccess only (remove duplicates from PHP)
- Deploy free tools: robots-analyzer, data-converter
- Deploy tools announcement blog post
- Update sitemap with new tools and blog post

api/lead-capture.php

@@ -0,0 +1,36 @@
+<?php
+header("Content-Type: application/json");
+header("Access-Control-Allow-Origin: *");
+header("Access-Control-Allow-Methods: POST");
+header("Access-Control-Allow-Headers: Content-Type");
+
+if ($_SERVER["REQUEST_METHOD"] === "OPTIONS") {
+    http_response_code(200);
+    exit;
+}
+
+if ($_SERVER["REQUEST_METHOD"] !== "POST") {
+    http_response_code(405);
+    echo json_encode(["error" => "Method not allowed"]);
+    exit;
+}
+
+$input = json_decode(file_get_contents("php://input"), true);
+$email = filter_var($input["email"] ?? "", FILTER_VALIDATE_EMAIL);
+$source = htmlspecialchars($input["source"] ?? "unknown");
+$page = htmlspecialchars($input["page"] ?? "unknown");
+
+if (!$email) {
+    http_response_code(400);
+    echo json_encode(["error" => "Invalid email"]);
+    exit;
+}
+
+// Log the lead
+$log_entry = date("Y-m-d H:i:s") . " | $email | $source | $page\n";
+file_put_contents("/var/www/ukds/api/leads.log", $log_entry, FILE_APPEND | LOCK_EX);
+
+// Send notification email (optional - uncomment if you want email alerts)
+// mail("peter.foster@ukdataservices.co.uk", "New Lead: $email", "Source: $source\nPage: $page");
+
+echo json_encode(["success" => true, "message" => "Lead captured"]);