fix: disable CSP upgrade-insecure-requests when HSTS is disabled

The upgrade-insecure-requests CSP directive was forcing browsers to upgrade HTTP to HTTPS even when HSTS was disabled. Now both HSTS and upgrade-insecure-requests are controlled by DISABLE_HSTS env var.
2026-04-14 16:31:26 +03:00 · 2026-04-14 16:31:26 +03:00 · 95d7d057cb
commit 95d7d057cb
parent ab2d33b211
1 changed files with 2 additions and 0 deletions
--- a/backend/app.js
+++ b/backend/app.js
@ -42,6 +42,8 @@ app.use(
                objectSrc: ["'none'"],
                mediaSrc: ["'self'"],
                frameSrc: ["'none'"],
+                upgradeInsecureRequests:
+                    process.env.DISABLE_HSTS === 'true' ? null : [],
            },
        },
        hsts: