From 40295e02a7250ec2ecc63323aadae20eb6e88ecf Mon Sep 17 00:00:00 2001
From: Chris Veleris <chrisveleris@gmail.com>
Date: Tue, 14 Apr 2026 16:08:50 +0300
Subject: [PATCH] feat: add DISABLE_HSTS environment variable for local
 development

Allow disabling HSTS (HTTP Strict Transport Security) headers via
DISABLE_HSTS=true environment variable. This is useful for local
development when running production builds on localhost/HTTP.

When DISABLE_HSTS=true, the Strict-Transport-Security header is not
sent, preventing browsers from forcing HTTPS connections that would
fail on local HTTP-only setups.

Production deployments should not set this variable to maintain
proper HSTS security.
---
 backend/app.js | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/backend/app.js b/backend/app.js
index 971f81c..767d972 100644
--- a/backend/app.js
+++ b/backend/app.js
@@ -44,13 +44,14 @@ app.use(
                 frameSrc: ["'none'"],
             },
         },
-        hsts: config.production
-            ? {
-                  maxAge: 31536000,
-                  includeSubDomains: true,
-                  preload: true,
-              }
-            : false,
+        hsts:
+            config.production && process.env.DISABLE_HSTS !== 'true'
+                ? {
+                      maxAge: 31536000,
+                      includeSubDomains: true,
+                      preload: true,
+                  }
+                : false,
     })
 );
 app.use(compression());