Helmet merges default CSP directives (including `upgrade-insecure-requests`) into custom directives when `useDefaults` is true (the default). This caused browsers to upgrade all HTTP sub-resource requests to HTTPS, breaking static assets when the server runs over plain HTTP. This commit conditionally sets `upgrade-insecure-requests` based on FORCE_HTTPS: enabled in production (where HTTPS is available), explicitly disabled (null) otherwise to prevent browser SSL errors on home servers and development environments. Also extracts `shouldForceHttps` to avoid repeated env lookups. |
||
|---|---|---|
| .. | ||
| src | ||
| .env.example | ||
| package-lock.json | ||
| package.json | ||
| reset-admin.js | ||
| tsconfig.json | ||