Trek_CN/server
Saswat e25fec4e4a
fix: resolve static asset SSL errors from helmet's upgrade-insecure-requests
Helmet merges default CSP directives (including `upgrade-insecure-requests`)
into custom directives when `useDefaults` is true (the default). This caused
browsers to upgrade all HTTP sub-resource requests to HTTPS, breaking static
assets when the server runs over plain HTTP.

This commit conditionally sets `upgrade-insecure-requests` based on
FORCE_HTTPS: enabled in production (where HTTPS is available), explicitly
disabled (null) otherwise to prevent browser SSL errors on home servers
and development environments.

Also extracts `shouldForceHttps` to avoid repeated env lookups.
2026-03-28 17:30:51 -07:00
..
src fix: resolve static asset SSL errors from helmet's upgrade-insecure-requests 2026-03-28 17:30:51 -07:00
.env.example Initial commit — NOMAD (Navigation Organizer for Maps, Activities & Destinations) 2026-03-18 23:58:08 +01:00
package-lock.json security: upgrade multer 1.4.5 → 2.1.1 — fixes CVE-2025-47944, CVE-2025-47935, CVE-2025-48997, CVE-2025-7338 2026-03-29 00:35:16 +01:00
package.json security: upgrade multer 1.4.5 → 2.1.1 — fixes CVE-2025-47944, CVE-2025-47935, CVE-2025-48997, CVE-2025-7338 2026-03-29 00:35:16 +01:00
reset-admin.js Stabilize core: better-sqlite3, versioned migrations, graceful shutdown 2026-03-22 17:52:24 +01:00
tsconfig.json fix: resolve all TypeScript errors via proper Express 5 typed route params 2026-03-28 20:13:24 +00:00