Add comprehensive security hardening for production deployment

Security improvements:
- Environment-based configuration with .env file system
- Production-ready config with disabled error display
- HTTPS enforcement and HSTS headers
- Session security with regeneration and secure flags
- CSRF protection implementation
- Rate limiting for login and API requests
- Comprehensive .htaccess security rules
- File upload security (PHP execution disabled)
- Directory protection (includes, logs, uploads)
- Sensitive file blocking (.env, .git, logs)
- Custom error pages (403, 404, 500)
- Security headers (X-Frame-Options, CSP, etc.)
- Updated .gitignore to exclude sensitive files

Files added:
- .env.example (configuration template)
- includes/env.php (environment loader)
- includes/config.production.php (secure production config)
- includes/csrf.php (CSRF protection helpers)
- .htaccess (root security rules)
- includes/.htaccess (deny all access)
- logs/.htaccess (deny all access)
- assets/uploads/.htaccess (prevent PHP execution)
- error-pages/403.html (custom forbidden page)
- error-pages/404.html (custom not found page)
- error-pages/500.html (custom error page)
- DEPLOYMENT.md (complete deployment guide)
- SECURITY.md (security documentation)

Security vulnerabilities fixed:
- Database credentials no longer hardcoded
- Debug mode disabled in production
- Session hijacking prevention
- XSS protection with output escaping
- SQL injection prevention verified
- CSRF attack prevention
- File upload exploit prevention
- Directory traversal blocked
- Information disclosure prevented

Production ready with OWASP Top 10 protections implemented.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
