github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #69 from saswatds/helmet-fix

Browse Source 
fix: resolve static asset SSL errors from helmet's upgrade-insecure-requests
This commit is contained in:
mauriceboe
2026-03-29 01:48:08 +01:00
committed by GitHub
parent e0fd9830d9 e25fec4e4a
commit 399e4acf03
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
server/src/index.ts
View File

@@ -44,6 +44,8 @@ if (allowedOrigins) {
corsOrigin = true; corsOrigin = true;
} }
const shouldForceHttps = process.env.FORCE_HTTPS === 'true';
app.use(cors({ app.use(cors({
origin: corsOrigin, origin: corsOrigin,
credentials: true credentials: true
@@ -60,13 +62,15 @@ app.use(helmet({
objectSrc: ["'self'"], objectSrc: ["'self'"],
frameSrc: ["'self'"], frameSrc: ["'self'"],
frameAncestors: ["'self'"], frameAncestors: ["'self'"],
upgradeInsecureRequests: shouldForceHttps ? [] : null
} }
}, },
crossOriginEmbedderPolicy: false, crossOriginEmbedderPolicy: false,
hsts: process.env.FORCE_HTTPS === 'true' ? { maxAge: 31536000, includeSubDomains: false } : false, hsts: shouldForceHttps ? { maxAge: 31536000, includeSubDomains: false } : false,
})); }));
// Redirect HTTP to HTTPS (opt-in via FORCE_HTTPS=true) // Redirect HTTP to HTTPS (opt-in via FORCE_HTTPS=true)
if (process.env.FORCE_HTTPS === 'true') { if (shouldForceHttps) {
app.use((req: Request, res: Response, next: NextFunction) => { app.use((req: Request, res: Response, next: NextFunction) => {
if (req.secure || req.headers['x-forwarded-proto'] === 'https') return next(); if (req.secure || req.headers['x-forwarded-proto'] === 'https') return next();
res.redirect(301, 'https://' + req.headers.host + req.url); res.redirect(301, 'https://' + req.headers.host + req.url);