fix(web-ui): stop nginx from eating Set-Cookie on /api/ and /capture/

Login was infinite-looping in production. Server side was healthy (sessions
landing in PG, /me returning 200 to a manually-signed cookie) but the
browser never received `Set-Cookie`. Bisected the proxy chain layer by
layer with direct curls on the box:

  - mam-api direct (port 47432) → Set-Cookie present
  - web-ui nginx (port 47434)   → Set-Cookie STRIPPED
  - NPM (https://dragonflight.live) → Set-Cookie stripped (because web-ui ate it)

Root cause was this in /api/ and /capture/:

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

The literal "upgrade" was being sent on every request, not just real
WebSocket negotiations. Nginx then routes the upstream response through
its tunnel/upgrade code path, which doesn't preserve all response headers
the same way — Set-Cookie got silently dropped. mam-api doesn't speak
WebSockets today so it never sent a 101, and the bad pattern went
unnoticed until session-cookie auth shipped.

Fix is the standard conditional pattern: a `map` directive at the top of
default.conf computes $connection_upgrade as "upgrade" only when the
client actually requested Upgrade, otherwise "close". Both location blocks
now send `Connection $connection_upgrade` instead of the hardcoded literal.
WebSocket support on either location continues to work unchanged.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

services/mam-api/src/index.js

@@ -62,6 +62,18 @@ app.use(express.json({ limit: '50mb' }));
 // Trust the reverse proxy only when explicitly told to (production HTTPS).
 if (process.env.TRUST_PROXY === 'true') app.set('trust proxy', 1);
 
+// HSTS — once a browser has seen this header over HTTPS for dragonflight.live,
+// it auto-upgrades every future http:// request to https:// before hitting the
+// wire. Cookies are Secure-only (below) and the CORS allowlist rejects HTTP,
+// so without HSTS a user who lands on http:// silently can't log in.
+// Only emit on actual HTTPS responses; req.secure honors trust proxy + X-Forwarded-Proto.
+if (process.env.AUTH_ENABLED === 'true') {
+  app.use((req, res, next) => {
+    if (req.secure) res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+    next();
+  });
+}
+
 // Hard-fail when production-mode auth has no stable session secret. Without
 // this, express-session falls back to an in-memory random secret which
 // invalidates every session on restart and breaks multi-node deployments.

services/web-ui/nginx.conf

@@ -1,3 +1,16 @@
+# Map for proper WebSocket upgrade handling on the proxied locations below.
+# Without this, hardcoding `proxy_set_header Connection "upgrade"` puts nginx
+# into tunnel-mode for every request — which silently drops response headers
+# including Set-Cookie. That broke session-cookie auth on /api/v1/auth/login:
+# mam-api was issuing the cookie, web-ui's proxy was eating it before it
+# reached the browser. With this map, Connection is only set to "upgrade"
+# when the client actually requested an Upgrade (real WebSocket); otherwise
+# it's "close" and the response flows through normally.
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
 server {
     listen 80;
     server_name _;
@@ -54,7 +67,7 @@ server {
         proxy_pass $api_upstream;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+        proxy_set_header Connection $connection_upgrade;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -74,7 +87,7 @@ server {
         proxy_pass $capture_upstream;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+        proxy_set_header Connection $connection_upgrade;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

services/web-ui/public/index.html

@@ -2,6 +2,14 @@
 <html lang="en">
 <head>
 <meta charset="utf-8" />
+<script>
+  // Force HTTPS on the public domain — Secure cookies and the CORS allowlist
+  // both refuse HTTP, so an http:// landing silently breaks login. Local /
+  // LAN hostnames keep whatever protocol they came in on.
+  if (location.protocol === 'http:' && location.hostname === 'dragonflight.live') {
+    location.replace('https:' + location.href.substring(5));
+  }
+</script>
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>Dragonflight · Wild Dragon Broadcast</title>
 <link rel="preconnect" href="https://fonts.googleapis.com" />