If you only secure the login you will be sending your session cookies unencrypted for the other pages and they can be intercepted and used to impersonate you.

If the program has access to the credential, and the program is running on your computer, you also have access to the credential no matter how they try to obfuscate it.

What the game dev is supposed to do is have an account system on their backend, and ask the player to enter their credentials in the game. The game can then identify itself as this player to the backend servers. That way any actions on the backend can be attributed to a particular player and you have a good basis to make security decisions on.

You can set a CSP in the HTML head section using a meta http-equiv tag. It has similar functionality to X-frame-options IIRC.

Alas, no. ‘frame-ancestors’ does not work in meta. There is no reliable way to prevent click jacking if you are just editing the HTML. That makes sense: in order for these meta directives to even be enacted the HTML will have already begun to download and be parsed.

The old school way is comparing the top level URL with JS and redirecting but there are ways to deal with that

A dark mode would be nice.