Add TLS/HTTPS support with auto-detection

- Server auto-detects cert/key in backend/certs/ and starts HTTPS
- Falls back to plain HTTP if no certs found or TLS_ENABLED=false
- Self-signed cert generated for dev (365-day, gitignored)
- Added TLS env vars to .env.example
- Frontend rebuilt with https:// API URLs for dev server

backend/server.js

@@ -1203,8 +1203,30 @@ if (fs.existsSync(frontendBuild)) {
     });
 }
 
-// Start server
-app.listen(PORT, () => {
-    console.log(`CVE API server running on http://${API_HOST}:${PORT}`);
-    console.log(`CORS origins: ${CORS_ORIGINS.join(', ')}`);
-});
+// Start server — use HTTPS if TLS cert/key are available, otherwise plain HTTP
+const TLS_CERT = process.env.TLS_CERT || path.join(__dirname, 'certs', 'cert.pem');
+const TLS_KEY = process.env.TLS_KEY || path.join(__dirname, 'certs', 'key.pem');
+const TLS_ENABLED = process.env.TLS_ENABLED !== 'false' && fs.existsSync(TLS_CERT) && fs.existsSync(TLS_KEY);
+
+if (TLS_ENABLED) {
+    const https = require('https');
+    const httpsOptions = {
+        cert: fs.readFileSync(TLS_CERT),
+        key: fs.readFileSync(TLS_KEY),
+    };
+    https.createServer(httpsOptions, app).listen(PORT, () => {
+        console.log(`CVE API server running on https://${API_HOST}:${PORT}`);
+        console.log(`TLS: enabled (cert: ${TLS_CERT})`);
+        console.log(`CORS origins: ${CORS_ORIGINS.join(', ')}`);
+    });
+} else {
+    app.listen(PORT, () => {
+        console.log(`CVE API server running on http://${API_HOST}:${PORT}`);
+        if (!fs.existsSync(TLS_CERT) || !fs.existsSync(TLS_KEY)) {
+            console.log('TLS: disabled (no certs found in backend/certs/)');
+        } else {
+            console.log('TLS: disabled (TLS_ENABLED=false)');
+        }
+        console.log(`CORS origins: ${CORS_ORIGINS.join(', ')}`);
+    });
+}