fix: enforce secure session cookies in production

[KGFCH2]

Related Issue

Closes #133

Summary

Hardens backend session cookies by enabling secure cookies and proxy settings in production.

Changes Made

• Added production detection in server/index.js
• Updated express-session settings:
  • proxy: true in production
  • cookie.secure: true in production
  • cookie.sameSite: lax

Testing

• Verified server starts with the new session config
• Confirmed local development still works
• Confirmed production-sensitive settings are gated by NODE_ENV === "production"

Impact

Improves session security for deployed backend instances.

Checklist

• Code follows project standards
• Tested locally
• No unrelated changes included
• Production cookie security enforced