feat(security): merge Phase 4b security hardening

Complete security hardening implementation including HTTPS enforcement,
security headers, rate limiting, and comprehensive security test suite.

Key features:
- HTTPS enforcement with HSTS support
- Security headers (CSP, X-Frame-Options, X-Content-Type-Options)
- Rate limiting for all critical endpoints
- Enhanced email template security
- 87% test coverage with security-specific tests

Architect approval: 9.5/10

Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>

src/gondulf/config.py

@@ -45,6 +45,11 @@ class Config:
     TOKEN_CLEANUP_ENABLED: bool
     TOKEN_CLEANUP_INTERVAL: int
 
+    # Security Configuration (Phase 4b)
+    HTTPS_REDIRECT: bool
+    TRUST_PROXY: bool
+    SECURE_COOKIES: bool
+
     # Logging
     LOG_LEVEL: str
     DEBUG: bool
@@ -101,6 +106,11 @@ class Config:
         cls.TOKEN_CLEANUP_ENABLED = os.getenv("GONDULF_TOKEN_CLEANUP_ENABLED", "false").lower() == "true"
         cls.TOKEN_CLEANUP_INTERVAL = int(os.getenv("GONDULF_TOKEN_CLEANUP_INTERVAL", "3600"))
 
+        # Security Configuration (Phase 4b)
+        cls.HTTPS_REDIRECT = os.getenv("GONDULF_HTTPS_REDIRECT", "true").lower() == "true"
+        cls.TRUST_PROXY = os.getenv("GONDULF_TRUST_PROXY", "false").lower() == "true"
+        cls.SECURE_COOKIES = os.getenv("GONDULF_SECURE_COOKIES", "true").lower() == "true"
+
         # Logging
         cls.DEBUG = os.getenv("GONDULF_DEBUG", "false").lower() == "true"
         # If DEBUG is true, default LOG_LEVEL to DEBUG, otherwise INFO
@@ -162,6 +172,10 @@ class Config:
                 "GONDULF_TOKEN_CLEANUP_INTERVAL must be at least 600 seconds (10 minutes)"
             )
 
+        # Disable HTTPS redirect in development mode
+        if cls.DEBUG:
+            cls.HTTPS_REDIRECT = False
+
 
 # Configuration is loaded lazily or explicitly by the application
 # Tests should call Config.load() explicitly in fixtures