Saswat e25fec4e4a fix: resolve static asset SSL errors from helmet's upgrade-insecure-requests ...

Helmet merges default CSP directives (including `upgrade-insecure-requests`)
into custom directives when `useDefaults` is true (the default). This caused
browsers to upgrade all HTTP sub-resource requests to HTTPS, breaking static
assets when the server runs over plain HTTP.

This commit conditionally sets `upgrade-insecure-requests` based on
FORCE_HTTPS: enabled in production (where HTTPS is available), explicitly
disabled (null) otherwise to prevent browser SSL errors on home servers
and development environments.

Also extracts `shouldForceHttps` to avoid repeated env lookups.

2026-03-28 17:30:51 -07:00

..

src

fix: resolve static asset SSL errors from helmet's upgrade-insecure-requests

2026-03-28 17:30:51 -07:00

.env.example

Initial commit — NOMAD (Navigation Organizer for Maps, Activities & Destinations)

2026-03-18 23:58:08 +01:00

package-lock.json

security: upgrade multer 1.4.5 → 2.1.1 — fixes CVE-2025-47944, CVE-2025-47935, CVE-2025-48997, CVE-2025-7338

2026-03-29 00:35:16 +01:00

package.json

security: upgrade multer 1.4.5 → 2.1.1 — fixes CVE-2025-47944, CVE-2025-47935, CVE-2025-48997, CVE-2025-7338

2026-03-29 00:35:16 +01:00

reset-admin.js

Stabilize core: better-sqlite3, versioned migrations, graceful shutdown

2026-03-22 17:52:24 +01:00

tsconfig.json

fix: resolve all TypeScript errors via proper Express 5 typed route params

2026-03-28 20:13:24 +00:00