Modpol/LuHost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: disable upgrade-insecure-requests for local HTTP access

Browse Source 
Helmet's default CSP includes upgrade-insecure-requests, which causes
browsers to upgrade all resource requests (CSS, JS, etc.) to HTTPS.
This breaks LuHost when accessed over HTTP on the local network.

Explicitly disable it so HTTP-only deployments work correctly.
This commit is contained in:
Nathan Schneider
2026-02-02 20:16:05 -07:00
parent def0a66028
commit eebe0d8ac5
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app.js
View File

@@ -55,7 +55,8 @@ app.use(helmet({
imgSrc: ["'self'", "data:", "https:"], imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "ws:", "wss:"], connectSrc: ["'self'", "ws:", "wss:"],
formAction: ["'self'"], formAction: ["'self'"],
frameAncestors: ["'none'"] frameAncestors: ["'none'"],
upgradeInsecureRequests: null // Disable for local HTTP access
} }
} }
})); }));