This change addresses review feedback in app.py by making SESSION_COOKIE_SECURE depend on whether the app is using the local DB, which avoids breaking non-HTTPS local development while still enforcing secure cookies in production. It also tightens the Content Security Policy by removing http: from img-src, reducing mixed-content exposure, and adds comments clarifying the current unsafe-inline tradeoff and a future hardening path. The practical effect is a smoother local dev setup with slightly stronger default security in deployed environments.