From 95d7d057cbf30e02e6766a967311f65498be2c10 Mon Sep 17 00:00:00 2001
From: Chris Veleris <chrisveleris@gmail.com>
Date: Tue, 14 Apr 2026 16:31:26 +0300
Subject: [PATCH] fix: disable CSP upgrade-insecure-requests when HSTS is
 disabled

The upgrade-insecure-requests CSP directive was forcing browsers to
upgrade HTTP to HTTPS even when HSTS was disabled. Now both HSTS
and upgrade-insecure-requests are controlled by DISABLE_HSTS env var.
---
 backend/app.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/backend/app.js b/backend/app.js
index 767d972..a50a65a 100644
--- a/backend/app.js
+++ b/backend/app.js
@@ -42,6 +42,8 @@ app.use(
                 objectSrc: ["'none'"],
                 mediaSrc: ["'self'"],
                 frameSrc: ["'none'"],
+                upgradeInsecureRequests:
+                    process.env.DISABLE_HSTS === 'true' ? null : [],
             },
         },
         hsts: