From c3ae3a80de9597165e863c67cd81ddf5133565b9 Mon Sep 17 00:00:00 2001
From: Gronod <gordon@i3omb.com>
Date: Sun, 17 May 2026 09:36:26 +0100
Subject: [PATCH] fix: correct upgradeInsecureRequests in index.js (the actual
 production config)

The previous fix was applied to server/app.js (the test factory) but
index.js has its own independent Helmet configuration which is what the
production server actually executes. Both files now gate
upgrade-insecure-requests on TRUST_PROXY instead of NODE_ENV.
---
 server/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/index.js b/server/index.js
index 7a69e2d..b2e9583 100644
--- a/server/index.js
+++ b/server/index.js
@@ -137,7 +137,7 @@ app.use((req, res, next) => {
         baseUri: ["'self'"],
         frameAncestors: ["'none'"],
         formAction: ["'self'"],
-        upgradeInsecureRequests: process.env.NODE_ENV === 'production' ? [] : null
+        upgradeInsecureRequests: process.env.TRUST_PROXY ? [] : null
       }
     },
     hsts: {