Skip to content

feat(security): make CSP upgrade-insecure-requests configurable (#611)#612

Merged
rmyndharis merged 1 commit into
mainfrom
feat/csp-upgrade-insecure-requests-config
Jul 3, 2026
Merged

feat(security): make CSP upgrade-insecure-requests configurable (#611)#612
rmyndharis merged 1 commit into
mainfrom
feat/csp-upgrade-insecure-requests-config

Conversation

@rmyndharis

Copy link
Copy Markdown
Owner

Closes #611.

Summary

The CSP upgrade-insecure-requests directive was hardcoded on whenever NODE_ENV=production, so browsers auto-upgrade every dashboard request from HTTP to HTTPS. That is correct for Internet-facing TLS deployments, but a production instance intentionally served over HTTP on a trusted private network (TLS terminated elsewhere, or not required) becomes unreachable from the browser — the request to http://server:2785 is silently rewritten to https://server:2785.

Change

A new CSP_UPGRADE_INSECURE_REQUESTS environment variable controls the directive, resolved by a pure isUpgradeInsecureRequestsEnabled helper next to the other bootstrap-security env gates:

Value Result
unset legacy default — on in production, off elsewhere
false off (HTTP-only private-network deployments)
true on, regardless of NODE_ENV

Backward compatible: the default is unchanged, so existing deployments are unaffected. The REST API was never affected; this only concerns the browser dashboard.

Tests

Unit tests for the resolver cover the legacy default per NODE_ENV, the explicit override in both directions, and non-true/false values falling back to the default. Full backend suite green (1906 tests); lint and build clean. .env.example documents the flag.

The CSP `upgrade-insecure-requests` directive was hardcoded on in
production, which makes the browser force the dashboard to https. On a
trusted private-network deployment intentionally serving HTTP only, that
leaves the dashboard unreachable.

Add CSP_UPGRADE_INSECURE_REQUESTS: unset keeps the legacy default (on in
production, off elsewhere); 'false' opts out; 'true' forces it on.
Resolved by a pure isUpgradeInsecureRequestsEnabled helper alongside the
other bootstrap-security env gates.
@rmyndharis rmyndharis merged commit c1b9c1e into main Jul 3, 2026
5 checks passed
@rmyndharis rmyndharis deleted the feat/csp-upgrade-insecure-requests-config branch July 3, 2026 08:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Make upgrade-insecure-requests configurable via environment variable

1 participant