fix: correct upgradeInsecureRequests in index.js (the actual production config)

The previous fix was applied to server/app.js (the test factory) but index.js has its own independent Helmet configuration which is what the production server actually executes. Both files now gate upgrade-insecure-requests on TRUST_PROXY instead of NODE_ENV.
2026-05-17 09:36:26 +01:00
parent 94fe0dea4d
commit c3ae3a80de
1 changed files with 1 additions and 1 deletions
--- a/server/index.js
+++ b/server/index.js
@@ -137,7 +137,7 @@ app.use((req, res, next) => {
        baseUri: ["'self'"],
        frameAncestors: ["'none'"],
        formAction: ["'self'"],
-        upgradeInsecureRequests: process.env.NODE_ENV === 'production' ? [] : null
+        upgradeInsecureRequests: process.env.TRUST_PROXY ? [] : null
      }
    },
    hsts: {