Gronod 94fe0dea4d fix: only emit upgrade-insecure-requests when TRUST_PROXY is set ...

NODE_ENV=production enabled upgrade-insecure-requests unconditionally,
which instructed browsers to upgrade HTTP subresource requests to HTTPS.
When sofarr is accessed directly over HTTP (no reverse proxy), this
silently blocks all CSS, JS, and image loads — the page renders unstyled
with no functionality.

The correct signal for 'we are behind HTTPS' is TRUST_PROXY, not
NODE_ENV. upgrade-insecure-requests is now only emitted when a
TLS-terminating reverse proxy is confirmed to be in front.

2026-05-17 09:34:52 +01:00

..

middleware

feat(security): production hardening for external deployment

2026-05-17 06:47:25 +01:00

routes

feat: replace client polling with Server-Sent Events (SSE)

2026-05-17 08:35:22 +01:00

utils

fix: correct status panel cache stats and static asset caching

2026-05-17 08:46:55 +01:00

app.js

fix: only emit upgrade-insecure-requests when TRUST_PROXY is set

2026-05-17 09:34:52 +01:00

index.js

fix: remove nonce from <link> tags — breaks CSS on mobile/caching proxies

2026-05-17 09:28:44 +01:00