Copilot
d5b3c5c21f
* Initial plan * fix: remove upgrade-insecure-requests from CSP to fix blank homepage over HTTP The upgrade-insecure-requests CSP directive instructs browsers to upgrade same-host HTTP requests to HTTPS (preserving port). In the default plain-HTTP Docker deployment (port 4174), the browser upgrades every asset URL to https://host:4174/... and sends a TLS Client Hello to the HTTP nginx port. nginx cannot parse TLS bytes as HTTP and returns 400 with no method/URI (the observed "400 - -" log pattern). All JS/CSS bundles fail to load, React never mounts, page stays blank. Fix: remove "; upgrade-insecure-requests" from the CSP string. This directive is intended for HTTPS-only sites and is harmful on plain-HTTP servers. Removing it does not weaken security for HTTP deployments. Agent-Logs-Url: https://github.com/DanielVolz/medassist-ng/sessions/9c4db7bd-1272-49ca-abf3-73c2ad5a5354 Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com>