services/mam-api/src/index.js

@@ -62,18 +62,6 @@ app.use(express.json({ limit: '50mb' }));
 // Trust the reverse proxy only when explicitly told to (production HTTPS).
 if (process.env.TRUST_PROXY === 'true') app.set('trust proxy', 1);
 
-// HSTS — once a browser has seen this header over HTTPS for dragonflight.live,
-// it auto-upgrades every future http:// request to https:// before hitting the
-// wire. Cookies are Secure-only (below) and the CORS allowlist rejects HTTP,
-// so without HSTS a user who lands on http:// silently can't log in.
-// Only emit on actual HTTPS responses; req.secure honors trust proxy + X-Forwarded-Proto.
-if (process.env.AUTH_ENABLED === 'true') {
-  app.use((req, res, next) => {
-    if (req.secure) res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
-    next();
-  });
-}
-
 // Hard-fail when production-mode auth has no stable session secret. Without
 // this, express-session falls back to an in-memory random secret which
 // invalidates every session on restart and breaks multi-node deployments.

services/web-ui/nginx.conf

@@ -1,16 +1,3 @@
-# Map for proper WebSocket upgrade handling on the proxied locations below.
-# Without this, hardcoding `proxy_set_header Connection "upgrade"` puts nginx
-# into tunnel-mode for every request — which silently drops response headers
-# including Set-Cookie. That broke session-cookie auth on /api/v1/auth/login:
-# mam-api was issuing the cookie, web-ui's proxy was eating it before it
-# reached the browser. With this map, Connection is only set to "upgrade"
-# when the client actually requested an Upgrade (real WebSocket); otherwise
-# it's "close" and the response flows through normally.
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    ''      close;
-}
-
 server {
     listen 80;
     server_name _;
@@ -67,7 +54,7 @@ server {
         proxy_pass $api_upstream;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Connection "upgrade";
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -87,7 +74,7 @@ server {
         proxy_pass $capture_upstream;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Connection "upgrade";
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

services/web-ui/public/index.html

@@ -2,14 +2,6 @@
 <html lang="en">
 <head>
 <meta charset="utf-8" />
-<script>
-  // Force HTTPS on the public domain — Secure cookies and the CORS allowlist
-  // both refuse HTTP, so an http:// landing silently breaks login. Local /
-  // LAN hostnames keep whatever protocol they came in on.
-  if (location.protocol === 'http:' && location.hostname === 'dragonflight.live') {
-    location.replace('https:' + location.href.substring(5));
-  }
-</script>
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>Dragonflight · Wild Dragon Broadcast</title>
 <link rel="preconnect" href="https://fonts.googleapis.com" />