fix: disable CSP upgrade-insecure-requests for HTTP deployments

Helmet's default CSP includes upgrade-insecure-requests which forces
browsers to use HTTPS even when the page is served over HTTP.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: helliott-redactbox

server/src/index.ts

@@ -28,10 +28,10 @@ if (!configValidation.valid) {
 }
 
 // Security middleware
-// Disable HSTS as app may run on HTTP in home server environments
+// Disable HSTS and CSP as app runs on HTTP in home server environments
 app.use(
   helmet({
-    contentSecurityPolicy: config.nodeEnv === 'production' ? undefined : false,
+    contentSecurityPolicy: false,
     hsts: false,
   })
 );