added caddy

.env.example

@@ -11,9 +11,14 @@ BACKEND_PORT=8080
 # 64+ hex chars. Generate: openssl rand -hex 32
 SESSION_SECRET=please_generate_a_long_random_secret_at_least_64_chars_xxxxxxxxxx
 # Public URL of the frontend, used to build verification/reset links.
+# Prod: https://consume.narl.io
 PUBLIC_APP_URL=http://localhost:5173
 # Comma-separated allowed CORS origins.
+# Prod (same-origin behind Caddy): https://consume.narl.io
 CORS_ORIGINS=http://localhost:5173
+# Mark the session cookie Secure (HTTPS-only). Auto-on when PUBLIC_APP_URL is
+# https; override here. Must be true in production, false for plain-http dev.
+# COOKIE_SECURE=true
 
 # ── SMTP (mail notifications + verification) ────────────────
 SMTP_HOST=smtp.example.com
@@ -25,5 +30,6 @@ SMTP_FROM="Shopping List <no-reply@example.com>"
 SMTP_SECURITY=starttls
 
 # ── Frontend ────────────────────────────────────────────────
-# Where the SvelteKit app reaches the backend (server-side).
+# Base origin the browser uses to reach the backend (no trailing /api).
+# Prod (same-origin behind Caddy): https://consume.narl.io
 PUBLIC_API_BASE=http://localhost:8080