CSP: Upgrade insecure requests if possible

Config option; default is to only upgrade if usessl

app.js

@@ -126,6 +126,11 @@ if (config.csp.enable) {
       directives[propertyName] = directive;
     }
   }
+  if(config.csp.upgradeInsecureRequests === 'auto') {
+    directives.upgradeInsecureRequests = config.usessl === 'true'
+  } else {
+    directives.upgradeInsecureRequests = config.csp.upgradeInsecureRequests === 'true'
+  }
   app.use(helmet.contentSecurityPolicy({
     directives: directives
   }))