feat: Add HTTPS support with mkcert and automatic SSL configuration

Add comprehensive HTTPS support with two deployment options:
- mkcert for local development with trusted certificates
- Automatic SSL with Let's Encrypt for production

HTTPS Implementation:
- Add docker-compose.https-mkcert.yml for local HTTPS development
- Add docker-compose.https-auto.yml for automatic SSL certificates
- Create Dockerfile.mkcert for certificate generation
- Add setup scripts (setup-https-mkcert.sh/bat)
- Add startup scripts (start-https.sh/bat)
- Add certificate generation script (generate-mkcert-certs.sh)

CSRF and IP Access Fixes:
- Fix CSRF token validation for IP-based access
- Add CSRF troubleshooting documentation
- Update configuration to handle various access patterns

Documentation:
- Add HTTPS_MKCERT_GUIDE.md with setup instructions
- Add README_HTTPS.md with general HTTPS documentation
- Add README_HTTPS_AUTO.md for automatic SSL setup
- Add AUTOMATIC_HTTPS_SUMMARY.md
- Add CSRF_IP_ACCESS_FIX.md and CSRF_IP_FIX_SUMMARY.md
- Add docs/CSRF_IP_ACCESS_GUIDE.md
- Update main README.md with HTTPS information

Configuration:
- Update .gitignore for SSL certificates and nginx configs
- Update env.example with new HTTPS-related variables
- Update docker-compose.yml with SSL configuration options

This enables secure HTTPS access in both development and production
environments while maintaining compatibility with existing deployments.

start-https.sh

@@ -0,0 +1,146 @@
+#!/bin/bash
+# Start TimeTracker with automatic HTTPS
+# Automatically generates certificates and starts all services
+
+set -e
+
+echo "=========================================="
+echo "TimeTracker HTTPS Startup"
+echo "=========================================="
+echo ""
+
+# Detect local IP
+if [[ "$OSTYPE" == "darwin"* ]]; then
+    LOCAL_IP=$(ipconfig getifaddr en0 || ipconfig getifaddr en1 || echo "192.168.1.100")
+elif [[ "$OSTYPE" == "linux-gnu"* ]]; then
+    LOCAL_IP=$(hostname -I | awk '{print $1}' || echo "192.168.1.100")
+else
+    LOCAL_IP="192.168.1.100"
+fi
+
+echo "🌐 Local IP detected: $LOCAL_IP"
+echo ""
+
+# Create nginx config if it doesn't exist
+if [ ! -f nginx/conf.d/https.conf ]; then
+    echo "📝 Creating nginx HTTPS configuration..."
+    mkdir -p nginx/conf.d
+    
+    cat > nginx/conf.d/https.conf << 'NGINX_EOF'
+server {
+    listen 80;
+    server_name _;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name _;
+
+    ssl_certificate /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/key.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+
+    location / {
+        proxy_pass http://app:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
+NGINX_EOF
+    
+    echo "✅ nginx configuration created"
+    echo ""
+fi
+
+# Update .env with HTTPS settings if it exists
+if [ -f .env ]; then
+    echo "🔧 Updating .env with HTTPS settings..."
+    
+    # Backup .env
+    cp .env .env.backup 2>/dev/null || true
+    
+    # Update settings
+    sed -i.bak 's/^WTF_CSRF_SSL_STRICT=.*/WTF_CSRF_SSL_STRICT=true/' .env 2>/dev/null || echo "WTF_CSRF_SSL_STRICT=true" >> .env
+    sed -i.bak 's/^SESSION_COOKIE_SECURE=.*/SESSION_COOKIE_SECURE=true/' .env 2>/dev/null || echo "SESSION_COOKIE_SECURE=true" >> .env
+    sed -i.bak 's/^CSRF_COOKIE_SECURE=.*/CSRF_COOKIE_SECURE=true/' .env 2>/dev/null || echo "CSRF_COOKIE_SECURE=true" >> .env
+    
+    # Clean up
+    rm -f .env.bak
+    
+    echo "✅ .env updated"
+    echo ""
+fi
+
+# Export IP for docker-compose
+export HOST_IP=$LOCAL_IP
+
+# Choose certificate method
+echo "Select certificate method:"
+echo "  1) Self-signed (works immediately, shows browser warning)"
+echo "  2) mkcert (trusted certificates, requires one-time CA install)"
+echo ""
+read -p "Choice [1]: " CERT_METHOD
+CERT_METHOD=${CERT_METHOD:-1}
+
+echo ""
+
+if [ "$CERT_METHOD" = "2" ]; then
+    # Check if mkcert is available
+    if command -v mkcert >/dev/null 2>&1; then
+        echo "🔐 Using mkcert for trusted certificates..."
+        docker-compose -f docker-compose.yml -f docker-compose.https-mkcert.yml up -d
+    else
+        echo "⚠️  mkcert not found on host. Using self-signed certificates instead."
+        echo "   Install mkcert for trusted certificates: brew install mkcert (Mac) or choco install mkcert (Windows)"
+        echo ""
+        docker-compose -f docker-compose.yml -f docker-compose.https-auto.yml up -d
+    fi
+else
+    echo "🔐 Using self-signed certificates..."
+    docker-compose -f docker-compose.yml -f docker-compose.https-auto.yml up -d
+fi
+
+echo ""
+echo "=========================================="
+echo "✅ TimeTracker is starting with HTTPS!"
+echo "=========================================="
+echo ""
+echo "Access your application at:"
+echo "  https://localhost"
+echo "  https://$LOCAL_IP"
+echo ""
+
+if [ "$CERT_METHOD" = "1" ] || ! command -v mkcert >/dev/null 2>&1; then
+    echo "⚠️  Browser Warning Expected:"
+    echo "   Self-signed certificates will show a security warning."
+    echo "   Click 'Advanced' → 'Proceed to localhost (unsafe)' to continue."
+    echo ""
+    echo "   For no warnings, run: bash setup-https-mkcert.sh"
+else
+    echo "📋 To avoid browser warnings:"
+    echo "   Install the CA certificate from: nginx/ssl/rootCA.pem"
+    echo "   See instructions above or in HTTPS_MKCERT_GUIDE.md"
+fi
+
+echo ""
+echo "View logs:"
+echo "  docker-compose logs -f"
+echo ""
+echo "Stop services:"
+echo "  docker-compose down"
+echo ""
+