Fix Docker blank page when accessing via IP, add iframe support and HTTPS upgrade control (#1027)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: thomasnordquist <7721625+thomasnordquist@users.noreply.github.com>

src/server.ts

@@ -20,6 +20,10 @@ const CREDENTIALS_PATH = path.join(process.cwd(), 'data', 'credentials.json')
 const MAX_FILE_SIZE = 16 * 1024 * 1024 // 16MB limit for file uploads
 const ALLOWED_ORIGINS = process.env.ALLOWED_ORIGINS ? process.env.ALLOWED_ORIGINS.split(',') : ['*']
 const isProduction = process.env.NODE_ENV === 'production'
+// Enable upgrade-insecure-requests only when behind HTTPS reverse proxy
+const enableUpgradeInsecure = process.env.UPGRADE_INSECURE_REQUESTS === 'true'
+// Enable X-Frame-Options header to prevent iframe embedding (disabled by default)
+const enableXFrameOptions = process.env.X_FRAME_OPTIONS === 'true'
 
 /**
  * Validates and sanitizes file paths to prevent path traversal attacks
@@ -83,6 +87,7 @@ async function startServer() {
           styleSrc: ["'self'", "'unsafe-inline'"], // Required for Material-UI
           connectSrc: ["'self'", 'ws:', 'wss:'], // Allow WebSocket connections
           imgSrc: ["'self'", 'data:', 'blob:'],
+          upgradeInsecureRequests: enableUpgradeInsecure ? [] : null, // Only enable when behind HTTPS reverse proxy
         },
       },
       hsts: isProduction
@@ -92,6 +97,7 @@ async function startServer() {
             preload: true,
           }
         : false,
+      frameguard: enableXFrameOptions ? { action: 'sameorigin' } : false, // Disabled by default to allow iframe embedding
       // Disable cross-origin policies that cause blank pages when accessing via IP vs localhost
       // These headers can block resources and cause rendering issues on HTTP-only deployments
       crossOriginEmbedderPolicy: false, // Can block resources without proper CORP headers