From 7e3ba184f7565639a25d4622db85e6b58aa58d15 Mon Sep 17 00:00:00 2001
From: Robbie Antenesse <dev@alamantus.com>
Date: Sat, 19 Jul 2025 10:01:10 -0600
Subject: [PATCH] Move content security policy header to Response from htaccess

---
 src/php/.htaccess        |  3 ---
 src/php/api/Response.php | 10 +++++++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/php/.htaccess b/src/php/.htaccess
index 20258c8..1840d1c 100644
--- a/src/php/.htaccess
+++ b/src/php/.htaccess
@@ -1,6 +1,3 @@
-# To resolve the issue with "Your connection to this site is not secure" message
-Header set Content-Security-Policy: upgrade-insecure-requests env=HTTPS 
-
 RewriteEngine On    # Turn on the rewriting engine
 
 RewriteRule    ^view/([0-9]+)/([0-9]+)/?$    router.php?view=word&dict=$1&word=$2    [NC,L]    # Handle word ids.
diff --git a/src/php/api/Response.php b/src/php/api/Response.php
index cf610f1..18416af 100644
--- a/src/php/api/Response.php
+++ b/src/php/api/Response.php
@@ -3,9 +3,13 @@ class Response {
   private static function defaultHeaders () {
     header('Access-Control-Allow-Origin: *');
     header('Expires: Sun, 01 Nov 2015 22:46:51 GMT');
-    header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
-    header("Cache-Control: post-check=0, pre-check=0", false);
-    header("Pragma: no-cache");
+    header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0');
+    header('Cache-Control: post-check=0, pre-check=0', false);
+    header('Pragma: no-cache');
+    if (strpos($_SERVER['SERVER_NAME'], 'localhost') !== false) {
+      # To resolve the issue with "Your connection to this site is not secure" message
+      header('Content-Security-Policy: upgrade-insecure-requests env=HTTPS');
+    }
   }
   
   public static function json ($data, $http_code = 200) {