Modpol/LuHost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Modpol/LuHost:deed72641089ea8f848c412c75f6f97bf45cc657
Branches Tags
Modpol/LuHost:main
..
compare: Modpol/LuHost:fb46519722c5c4b55361d811a72bbb420aee541e
Branches Tags
Modpol/LuHost:main

2 Commits
deed726410 .. fb46519722

Author SHA1 Message Date
Nathan Schneider fb46519722 Merge branch 'main' of https://git.medlab.host/Modpol/LuHost 2026-02-02 20:17:08 -07:00
Nathan Schneider eebe0d8ac5 fix: disable upgrade-insecure-requests for local HTTP access 
Helmet's default CSP includes upgrade-insecure-requests, which causes
browsers to upgrade all resource requests (CSS, JS, etc.) to HTTPS.
This breaks LuHost when accessed over HTTP on the local network.

Explicitly disable it so HTTP-only deployments work correctly.
 2026-02-02 20:16:05 -07:00
1 changed files with 2 additions and 1 deletions
Expand all files Collapse all files
app.js
+2 -1
View File
@@ -55,7 +55,8 @@ app.use(helmet({
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "ws:", "wss:"],
formAction: ["'self'"],
frameAncestors: ["'none'"]
frameAncestors: ["'none'"],
upgradeInsecureRequests: null // Disable for local HTTP access
}
}
}));