From eebe0d8ac5285427099f5428f36dd2a3d8083baa Mon Sep 17 00:00:00 2001
From: Nathan Schneider <n@nathanschneider.info>
Date: Mon, 2 Feb 2026 20:16:05 -0700
Subject: [PATCH] fix: disable upgrade-insecure-requests for local HTTP access

Helmet's default CSP includes upgrade-insecure-requests, which causes
browsers to upgrade all resource requests (CSS, JS, etc.) to HTTPS.
This breaks LuHost when accessed over HTTP on the local network.

Explicitly disable it so HTTP-only deployments work correctly.
---
 app.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app.js b/app.js
index 291b4ba..ac8b7c5 100644
--- a/app.js
+++ b/app.js
@@ -55,7 +55,8 @@ app.use(helmet({
       imgSrc: ["'self'", "data:", "https:"],
       connectSrc: ["'self'", "ws:", "wss:"],
       formAction: ["'self'"],
-      frameAncestors: ["'none'"]
+      frameAncestors: ["'none'"],
+      upgradeInsecureRequests: null // Disable for local HTTP access
     }
   }
 }));