From 94fe0dea4d61caa36bba8adc19199f161a06030d Mon Sep 17 00:00:00 2001
From: Gronod <gordon@i3omb.com>
Date: Sun, 17 May 2026 09:34:52 +0100
Subject: [PATCH] fix: only emit upgrade-insecure-requests when TRUST_PROXY is
 set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

NODE_ENV=production enabled upgrade-insecure-requests unconditionally,
which instructed browsers to upgrade HTTP subresource requests to HTTPS.
When sofarr is accessed directly over HTTP (no reverse proxy), this
silently blocks all CSS, JS, and image loads — the page renders unstyled
with no functionality.

The correct signal for 'we are behind HTTPS' is TRUST_PROXY, not
NODE_ENV. upgrade-insecure-requests is now only emitted when a
TLS-terminating reverse proxy is confirmed to be in front.
---
 server/app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/app.js b/server/app.js
index 4ee54a3..edeaebc 100644
--- a/server/app.js
+++ b/server/app.js
@@ -50,7 +50,7 @@ function createApp({ skipRateLimits = false } = {}) {
           baseUri: ["'self'"],
           frameAncestors: ["'none'"],
           formAction: ["'self'"],
-          upgradeInsecureRequests: process.env.NODE_ENV === 'production' ? [] : null
+          upgradeInsecureRequests: process.env.TRUST_PROXY ? [] : null
         }
       },
       hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },