CSRF Prevention blocks insecure development environments and is not configurable

When launching the Sciflow container in an insecure development environment served via HTTP, Apollo Server will force the Strict-Transport-Security: max-age=15552000; includeSubDomains header. This blocks loading resources via HTTP, completely disabling the service.

This is yielded by

• https://gitlab.com/sciflow/development/-/blob/962024b8b6b1fbd57f827bfc7757f36310e29aaf/server/src/server.ts#L46

  const server = new ApolloServer({
    csrfPrevention: true,

which hard-codes the setting. What happens when this is activated is documented under:

• Cross-Site Request Forgery (CSRF) Prevention - Apollo GraphQL Docs

In consequence, this restricts deployments in any environments to adhere to strict security guidelines.

This is not in effect when INSTANCE_URL is set to a value containing localhost, such as http://sciflow.localhost:3000.