fix: disable upgrade-insecure-requests for local HTTP access

Helmet's default CSP includes upgrade-insecure-requests, which causes
browsers to upgrade all resource requests (CSS, JS, etc.) to HTTPS.
This breaks LuHost when accessed over HTTP on the local network.

Explicitly disable it so HTTP-only deployments work correctly.

app.js

@@ -55,7 +55,8 @@ app.use(helmet({
       imgSrc: ["'self'", "data:", "https:"],
       connectSrc: ["'self'", "ws:", "wss:"],
       formAction: ["'self'"],
-      frameAncestors: ["'none'"]
+      frameAncestors: ["'none'"],
+      upgradeInsecureRequests: null // Disable for local HTTP access
     }
   }
 }));