feat(security): trust X-Forwarded-Proto behind reverse proxy

Adds server.forward-headers-strategy: native so that Jetty honours
X-Forwarded-{Proto,For,Host} from Caddy. Without this, getScheme(),
redirect URLs, and Spring Session "Secure" cookies reflect the
internal http hop instead of the original https client request.

Refs #497.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/resources/application.yaml

@@ -38,6 +38,12 @@ spring:
           starttls:
             enable: true
 
+server:
+  # Behind Caddy/reverse proxy: trust X-Forwarded-{Proto,For,Host} so that
+  # request.getScheme(), redirect URLs, and Spring Session "Secure" cookies
+  # reflect the original https client request, not the http hop from Caddy.
+  forward-headers-strategy: native
+
 management:
   health:
     mail: