diff --git a/.gitignore b/.gitignore
index 00a8877..7595311 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ sasjscore/
 certificates/
 executables/
 .env
+api/csp.config.json
diff --git a/api/src/app.ts b/api/src/app.ts
index 262b510..a41895c 100644
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -35,9 +35,12 @@ export const cookieOptions = {
   maxAge: 24 * 60 * 60 * 1000 // 24 hours
 }
 
-const cspConfigJson = getEnvCSPDirectives(HELMET_CSP_CONFIG_PATH)
+const cspConfigJson: { [key: string]: string[] | null } = getEnvCSPDirectives(
+  HELMET_CSP_CONFIG_PATH
+)
 const coepFlag =
   HELMET_COEP === 'true' || HELMET_COEP === undefined ? true : false
+if (PROTOCOL === 'http') cspConfigJson['upgrade-insecure-requests'] = null
 
 /***********************************
  *         CSRF Protection         *