config: make ALLOWED_HOSTS configurable via environment variable

Change ALLOWED_HOSTS from a hardcoded list to be read from environment
variable with comma-separated values support. Maintains '*' as default
fallback for backward compatibility. This allows more restrictive host
configuration in production environments while improving security posture.

booking_system/settings.py

@@ -12,7 +12,10 @@ SECRET_KEY = os.getenv('JWT_SECRET', 'django-insecure-fallback-secret-key')
 
 DEBUG = os.getenv('DEBUG')
 
-ALLOWED_HOSTS = ["*"]
+ALLOWED_HOSTS = os.getenv(
+    'ALLOWED_HOSTS', 
+    '*'
+).split(',')
 
 CORS_ALLOWED_ORIGINS = os.getenv(
     'CORS_ALLOWED_ORIGINS',