Fix local HTTP Safari loads by disabling HTTPS upgrade headers

[danielbnelson]

Summary

Fixes blank-page behavior in Safari for local/self-hosted HTTP installs.

Root cause

Manifest was sending security directives that are appropriate for HTTPS deployments
but break plain HTTP local installs in Safari:

• HSTS via Strict-Transport-Security
• CSP upgrade-insecure-requests

Safari upgraded same-origin local subresource requests to https://..., which
caused TLS failures for JS, CSS, fonts, and startup assets.

Changes

• disable HSTS unless BETTER_AUTH_URL is actually HTTPS
• disable upgrade-insecure-requests in CSP

Validation

Tested against a local Docker/self-hosted instance on plain HTTP.

• Chrome worked before and after
• Safari previously showed TLS failures for same-origin assets and blanked the page
• after this change, Safari no longer forces those asset requests to HTTPS
• npm run build completed successfully

---

Summary by cubic

Fixes Safari blank page on local/self-hosted HTTP by disabling HTTPS upgrade headers in helmet. HSTS now only applies when BETTER_AUTH_URL is HTTPS, and CSP no longer upgrades requests on HTTP.

• Bug Fixes
  • Enable HSTS only when BETTER_AUTH_URL starts with https://.
  • Set CSP upgradeInsecureRequests: null to stop Safari from rewriting same-origin assets to HTTPS on HTTP.
  • Verified on local Docker: Safari loads; Chrome unchanged.

^{Written for commit 9ed618c. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 1 file