feat: add DISABLE_HSTS environment variable for local development

Allow disabling HSTS (HTTP Strict Transport Security) headers via DISABLE_HSTS=true environment variable. This is useful for local development when running production builds on localhost/HTTP. When DISABLE_HSTS=true, the Strict-Transport-Security header is not sent, preventing browsers from forcing HTTPS connections that would fail on local HTTP-only setups. Production deployments should not set this variable to maintain proper HSTS security.
2026-04-14 16:08:50 +03:00 · 2026-04-14 16:08:50 +03:00 · 40295e02a7
commit 40295e02a7
parent a9c1bb3013
1 changed files with 8 additions and 7 deletions
--- a/backend/app.js
+++ b/backend/app.js
@ -44,13 +44,14 @@ app.use(
                frameSrc: ["'none'"],
            },
        },
-        hsts: config.production
-            ? {
-                  maxAge: 31536000,
-                  includeSubDomains: true,
-                  preload: true,
-              }
-            : false,
+        hsts:
+            config.production && process.env.DISABLE_HSTS !== 'true'
+                ? {
+                      maxAge: 31536000,
+                      includeSubDomains: true,
+                      preload: true,
+                  }
+                : false,
    })
 );
 app.use(compression());