feat(api): enable HSTS in non-Development environments

[ilyanfraimbault]

Parent: #199

Api/Program.cs calls UseHttpsRedirection() but never UseHsts(). The canonical ASP.NET Core middleware order calls HSTS before HTTPS redirection in production behind TLS.

Fix:

if (!app.Environment.IsDevelopment())
{
    app.UseHsts();
}
app.UseHttpsRedirection();

Severity: medium.

Refs:

• https://learn.microsoft.com/aspnet/core/fundamentals/middleware/?view=aspnetcore-10.0#middleware-order
• https://learn.microsoft.com/aspnet/core/security/enforcing-ssl?view=aspnetcore-10.0#http-strict-transport-security-protocol-hsts