Merge pull request #69 from saswatds/helmet-fix

fix: resolve static asset SSL errors from helmet's upgrade-insecure-requests
2026-03-29 01:48:08 +01:00
parent e0fd9830d9 e25fec4e4a
commit 399e4acf03
1 changed files with 6 additions and 2 deletions
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -44,6 +44,8 @@ if (allowedOrigins) {
  corsOrigin = true;
 }

+const shouldForceHttps = process.env.FORCE_HTTPS === 'true';
+
 app.use(cors({
  origin: corsOrigin,
  credentials: true
@@ -60,13 +62,15 @@ app.use(helmet({
      objectSrc: ["'self'"],
      frameSrc: ["'self'"],
      frameAncestors: ["'self'"],
+      upgradeInsecureRequests: shouldForceHttps ? [] : null
    }
  },
  crossOriginEmbedderPolicy: false,
-  hsts: process.env.FORCE_HTTPS === 'true' ? { maxAge: 31536000, includeSubDomains: false } : false,
+  hsts: shouldForceHttps ? { maxAge: 31536000, includeSubDomains: false } : false,
 }));
+
 // Redirect HTTP to HTTPS (opt-in via FORCE_HTTPS=true)
-if (process.env.FORCE_HTTPS === 'true') {
+if (shouldForceHttps) {
  app.use((req: Request, res: Response, next: NextFunction) => {
    if (req.secure || req.headers['x-forwarded-proto'] === 'https') return next();
    res.redirect(301, 'https://' + req.headers.host + req.url);