From eefe747a9e42d63daa5de5ed9e90b1506edacbac Mon Sep 17 00:00:00 2001 From: "debian.StillHammer" Date: Tue, 9 Dec 2025 01:19:38 +0000 Subject: [PATCH] Remove HSTS header for public endpoints to allow HTTP access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes: - Conditional Strict-Transport-Security header - Only applied to protected endpoints (require auth) - Public endpoints (/health, /api, /docs/api, /public/download/*) can use HTTP - Fixes PowerShell/browser connection issues over HTTP Security: - Protected endpoints still enforce HTTPS via HSTS - Public endpoints remain accessible over HTTP for flexibility - Other security headers (X-Frame-Options, CSP, etc.) still apply Resolves: - TLS connection errors from PowerShell - Client network socket disconnection issues - Allows public documentation access without SSL 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- src/server.js | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/server.js b/src/server.js index f012e7d..9aabd0f 100644 --- a/src/server.js +++ b/src/server.js @@ -87,10 +87,19 @@ app.use(express.json()); // Security headers app.use((req, res, next) => { + // Public endpoints that should work over HTTP + const publicEndpoints = ['/health', '/api', '/docs/api']; + const isPublic = publicEndpoints.includes(req.path) || req.path.startsWith('/public/download/'); + res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('X-Frame-Options', 'DENY'); res.setHeader('X-XSS-Protection', '1; mode=block'); - res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); + + // Only enforce HTTPS for protected endpoints + if (!isPublic) { + res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); + } + res.setHeader( 'Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'"