From ab2beac4b8072a472768ae7e58fd6e459edf796e Mon Sep 17 00:00:00 2001
From: April Arcus <april.arcus@gmail.com>
Date: Fri, 3 Apr 2026 19:00:07 -0700
Subject: [PATCH] Don't force HTTPS in local dev

---
 @app/server/src/middleware/installHelmet.ts | 31 +++++++++++++--------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/@app/server/src/middleware/installHelmet.ts b/@app/server/src/middleware/installHelmet.ts
index 1006cc65..81630800 100644
--- a/@app/server/src/middleware/installHelmet.ts
+++ b/@app/server/src/middleware/installHelmet.ts
@@ -8,8 +8,8 @@ if (!tmpRootUrl || typeof tmpRootUrl !== "string") {
 }
 const ROOT_URL = tmpRootUrl;
 
-const isDevOrTest =
-  process.env.NODE_ENV === "development" || process.env.NODE_ENV === "test";
+const isDev = process.env.NODE_ENV === "development";
+const isTest = process.env.NODE_ENV === "test";
 
 export default async function installHelmet(app: Express) {
   const { default: helmet, contentSecurityPolicy } = await import("helmet");
@@ -28,14 +28,23 @@ export default async function installHelmet(app: Express) {
       },
     },
   };
-  if (isDevOrTest) {
-    // Appease TypeScript
-    if (
-      typeof options.contentSecurityPolicy === "boolean" ||
-      !options.contentSecurityPolicy
-    ) {
-      throw new Error(`contentSecurityPolicy must be an object`);
-    }
+  // Appease TypeScript
+  if (
+    typeof options.contentSecurityPolicy === "boolean" ||
+    !options.contentSecurityPolicy
+  ) {
+    throw new Error(`contentSecurityPolicy must be an object`);
+  }
+  if (isDev) {
+    // Disable HSTS in dev so browsers don't cache "always use HTTPS" for localhost
+    options.hsts = false;
+
+    // Remove upgrade-insecure-requests in dev — it causes browsers to upgrade
+    // subresource requests to HTTPS even when the server only speaks HTTP.
+    options.contentSecurityPolicy.directives!["upgrade-insecure-requests"] =
+      null;
+  }
+  if (isDev || isTest) {
     // Dev needs 'unsafe-eval' due to
     // https://github.com/vercel/next.js/issues/14221
     options.contentSecurityPolicy.directives!["script-src"] = [
@@ -43,7 +52,7 @@ export default async function installHelmet(app: Express) {
       "'unsafe-eval'",
     ];
   }
-  if (isDevOrTest || !!process.env.ENABLE_GRAPHIQL) {
+  if (isDev || isTest || !!process.env.ENABLE_GRAPHIQL) {
     // Enables prettier script and SVG icon in GraphiQL
     options.crossOriginEmbedderPolicy = false;
   }