Harden runtime configuration and container security defaults

.env.example

@@ -1,10 +1,14 @@
 # Django
 DJANGO_SETTINGS_MODULE=config.settings.development
+DJANGO_ENV=development
+# Required to be a strong, unique value when DJANGO_DEBUG=0.
 DJANGO_SECRET_KEY=change-me-in-production
 DJANGO_DEBUG=1
 DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1
 DJANGO_CSRF_TRUSTED_ORIGINS=http://localhost,http://127.0.0.1
 DJANGO_TIME_ZONE=UTC
+DJANGO_LOG_LEVEL=INFO
+DJANGO_LOG_SQL=0
 DJANGO_SUPERUSER_USERNAME=admin
 DJANGO_SUPERUSER_EMAIL=admin@example.com
 DJANGO_SUPERUSER_PASSWORD=adminpass
@@ -29,6 +33,10 @@ AUTO_COLLECTSTATIC=1
 AUTO_BUILD_TAILWIND=1
 GUNICORN_WORKERS=3
 
+# Production-minded security toggles
+DJANGO_SECURE_SSL_REDIRECT=1
+DJANGO_SECURE_HSTS_SECONDS=31536000
+
 # Providers / ingestion
 PROVIDER_BACKEND=demo
 PROVIDER_NAMESPACE_DEMO=mvp_demo