Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity

fix: only emit upgrade-insecure-requests when TRUST_PROXY is set
Some checks failed
Build and Push Docker Image / build (push) Successful in 31s
Details
CI / Tests & coverage (push) Has been cancelled
Details
CI / Security audit (push) Has been cancelled
Details

Browse Source 
NODE_ENV=production enabled upgrade-insecure-requests unconditionally,
which instructed browsers to upgrade HTTP subresource requests to HTTPS.
When sofarr is accessed directly over HTTP (no reverse proxy), this
silently blocks all CSS, JS, and image loads — the page renders unstyled
with no functionality.

The correct signal for 'we are behind HTTPS' is TRUST_PROXY, not
NODE_ENV. upgrade-insecure-requests is now only emitted when a
TLS-terminating reverse proxy is confirmed to be in front.
This commit is contained in:
Gronod
2026-05-17 09:34:52 +01:00
parent 3c3382401c
commit 94fe0dea4d
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/app.js
View File

@@ -50,7 +50,7 @@ function createApp({ skipRateLimits = false } = {}) {
baseUri: ["'self'"],
frameAncestors: ["'none'"],
formAction: ["'self'"],
upgradeInsecureRequests: process.env.NODE_ENV === 'production' ? [] : null
upgradeInsecureRequests: process.env.TRUST_PROXY ? [] : null
}
},
hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },