StillHammer/videotomp3transcriptor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove HSTS header for public endpoints to allow HTTP access

Browse Source 
Changes:
- Conditional Strict-Transport-Security header
- Only applied to protected endpoints (require auth)
- Public endpoints (/health, /api, /docs/api, /public/download/*) can use HTTP
- Fixes PowerShell/browser connection issues over HTTP

Security:
- Protected endpoints still enforce HTTPS via HSTS
- Public endpoints remain accessible over HTTP for flexibility
- Other security headers (X-Frame-Options, CSP, etc.) still apply

Resolves:
- TLS connection errors from PowerShell
- Client network socket disconnection issues
- Allows public documentation access without SSL

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
debian.StillHammer 2025-12-09 01:19:38 +00:00
parent c1837eca1d
commit eefe747a9e
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/server.js
View File

@ -87,10 +87,19 @@ app.use(express.json());
// Security headers // Security headers
app.use((req, res, next) => { app.use((req, res, next) => {
// Public endpoints that should work over HTTP
const publicEndpoints = ['/health', '/api', '/docs/api'];
const isPublic = publicEndpoints.includes(req.path) || req.path.startsWith('/public/download/');
res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY'); res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-XSS-Protection', '1; mode=block'); res.setHeader('X-XSS-Protection', '1; mode=block');
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
// Only enforce HTTPS for protected endpoints
if (!isPublic) {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
}
res.setHeader( res.setHeader(
'Content-Security-Policy', 'Content-Security-Policy',
"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'"