Wire DX_COOKIE_SECURE / DX_HSTS through compose

#51 in Riparion/riparion-cms — merged 2026-06-03

Follow-up to #50.

The H3 env knobs (DX_COOKIE_SECURE, DX_HSTS) are read from the container environment, but docker-compose.yml only forwards vars it lists explicitly — and these two new ones weren't added. So in Docker:

• cookie_secure still worked (the code falls back to SITE_URL being https://), but
• DX_HSTS=off was inert — the app kept emitting its default HSTS.

This surfaced in prod: the app's max-age=86400 HSTS sat alongside the NPM reverse proxy's stronger max-age=63072000; preload, and browsers honor only the first (the app's).

This PR adds both knobs to the compose environment: passthrough and documents them in .env.example, so DX_HSTS=off (already set in the prod .env) can take effect and let NPM be the single HSTS source.

Config/docs only — no Rust changes.

🤖 Generated with Claude Code