fix: enforce Secure flag on session and CSRF cookies by default

Cookies were sent without Secure flag outside of production (NODE_ENV check).
New logic: secure=true by default; set SESSION_SECURE=false in .env to
allow HTTP explicitly (local dev without reverse proxy). Affects session
cookie, CSRF cookie in login handler, and CSRF middleware.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/middleware/csrf.js

@@ -39,8 +39,7 @@ function csrfMiddleware(req, res, next) {
   res.cookie('csrf-token', req.session.csrfToken, {
     httpOnly: false,
     sameSite: 'strict',
-    secure: process.env.SESSION_SECURE === 'false' ? false
-          : process.env.NODE_ENV === 'production',
+    secure: process.env.SESSION_SECURE !== 'false',
     maxAge: 1000 * 60 * 60 * 24 * 7, // 7 Tage (gleich wie Session)
   });