diff --git a/app.js b/app.js
index 8c7c257b4fc..1aef552f32c 100644
--- a/app.js
+++ b/app.js
@@ -14,35 +14,38 @@ function create(env, ctx) {
     var appInfo = env.name + ' ' + env.version;
     app.set('title', appInfo);
     app.enable('trust proxy'); // Allows req.secure test on heroku https connections.
-    if (!process.env.insecureUseHttp) {
+    var insecureUseHttp = process.env.insecureUseHttp;
+    var secureHstsHeader = process.env.secureHstsHeader;
+    console.info('Security settings: INSECURE_USE_HTTP=', insecureUseHttp, ', SECURE_HSTS_HEADER=', secureHstsHeader);
+    if (!insecureUseHttp) {
         app.use((req, res, next) => {
         if (req.header('x-forwarded-proto') !== 'https')
             res.redirect(`https://${req.header('host')}${req.url}`);
         else
             next()
         })
-        if (process.env.secureHstsHeader) { // Add HSTS (HTTP Strict Transport Security) header
+        if (secureHstsHeader) { // Add HSTS (HTTP Strict Transport Security) header
           const helmet = require('helmet');
           var includeSubDomainsValue = process.env.secureHstsHeaderIncludeSubdomains;
-            var preloadValue = process.env.secureHstsHeaderPreload;
-            app.use(helmet({
-                hsts: {
-                    maxAge: 31536000,
-                    includeSubDomains: includeSubDomainsValue,
-                    preload: preloadValue
-                }
-            }))
-            //if (env.settings.isEnabled('secureCsp')) { // Add Content-Security-Policy directive by default
-            if (process.env.secureCsp) {
-              app.use(helmet.contentSecurityPolicy({ //TODO make NS work without 'unsafe-inline'
-                directives: {
-                  defaultSrc: ["'self'"],
-                  styleSrc: ["'self'", 'https://fonts.googleapis.com/',"'unsafe-inline'"],
-                  scriptSrc: ["'self'", "'unsafe-inline'"],
-                  fontSrc: [ "'self'", 'https://fonts.gstatic.com/']
-                }
-              }));
+          var preloadValue = process.env.secureHstsHeaderPreload;
+          app.use(helmet({
+            hsts: {
+              maxAge: 31536000,
+              includeSubDomains: includeSubDomainsValue,
+              preload: preloadValue
             }
+          }))
+          //if (env.settings.isEnabled('secureCsp')) { // Add Content-Security-Policy directive by default
+          if (process.env.secureCsp) {
+            app.use(helmet.contentSecurityPolicy({ //TODO make NS work without 'unsafe-inline'
+              directives: {
+                defaultSrc: ["'self'"],
+                styleSrc: ["'self'", 'https://fonts.googleapis.com/',"'unsafe-inline'"],
+                scriptSrc: ["'self'", "'unsafe-inline'"],
+                fontSrc: [ "'self'", 'https://fonts.gstatic.com/']
+              }
+            }));
+          }
         }
      }
 
@@ -192,7 +195,6 @@ function create(env, ctx) {
         console.log('Production environment detected, enabling Minify');
 
         var minify = require('express-minify');
-        var myUglifyJS = require('uglify-js');
         var myCssmin = require('cssmin');
 
         app.use(minify({
@@ -203,7 +205,6 @@ function create(env, ctx) {
             stylus_match: /stylus/,
             coffee_match: /coffeescript/,
             json_match: /json/,
-            uglifyJS: myUglifyJS,
             cssmin: myCssmin,
             cache: __dirname + '/tmp',
             onerror: undefined,
diff --git a/tests/env.test.js b/tests/env.test.js
index e8b63eae1d0..90313dfd39f 100644
--- a/tests/env.test.js
+++ b/tests/env.test.js
@@ -3,68 +3,69 @@
 require('should');
 
 describe('env', function ( ) {
-  it('show the right plugins', function () {
+  it( 'show the right plugins', function () {
     process.env.SHOW_PLUGINS = 'iob';
     process.env.ENABLE = 'iob cob';
 
-    var env = require('../env')();
+    var env = require( '../env' )();
     var showPlugins = env.settings.showPlugins;
-    showPlugins.should.containEql('iob');
-    showPlugins.should.containEql('delta');
-    showPlugins.should.containEql('direction');
-    showPlugins.should.containEql('upbat');
+    showPlugins.should.containEql( 'iob' );
+    showPlugins.should.containEql( 'delta' );
+    showPlugins.should.containEql( 'direction' );
+    showPlugins.should.containEql( 'upbat' );
 
     delete process.env.SHOW_PLUGINS;
     delete process.env.ENABLE;
-  });
+  } );
 
-  it('get extended settings', function () {
+  it( 'get extended settings', function () {
     process.env.ENABLE = 'scaryplugin';
     process.env.SCARYPLUGIN_DO_THING = 'yes';
 
-    var env = require('../env')();
-    env.settings.isEnabled('scaryplugin').should.equal(true);
+    var env = require( '../env' )();
+    env.settings.isEnabled( 'scaryplugin' ).should.equal( true );
 
     //Note the camelCase
-    env.extendedSettings.scaryplugin.doThing.should.equal('yes');
+    env.extendedSettings.scaryplugin.doThing.should.equal( 'yes' );
 
     delete process.env.ENABLE;
     delete process.env.SCARYPLUGIN_DO_THING;
-  });
+  } );
 
-  it('add pushover to enable if one of the env vars is set', function () {
+  it( 'add pushover to enable if one of the env vars is set', function () {
     process.env.PUSHOVER_API_TOKEN = 'abc12345';
 
-    var env = require('../env')();
-    env.settings.enable.should.containEql('pushover');
-    env.extendedSettings.pushover.apiToken.should.equal('abc12345');
+    var env = require( '../env' )();
+    env.settings.enable.should.containEql( 'pushover' );
+    env.extendedSettings.pushover.apiToken.should.equal( 'abc12345' );
 
     delete process.env.PUSHOVER_API_TOKEN;
-  });
+  } );
 
-  it('add pushover to enable if one of the weird azure env vars is set', function () {
+  it( 'add pushover to enable if one of the weird azure env vars is set', function () {
     process.env.CUSTOMCONNSTR_PUSHOVER_API_TOKEN = 'abc12345';
 
-    var env = require('../env')();
-    env.settings.enable.should.containEql('pushover');
-    env.extendedSettings.pushover.apiToken.should.equal('abc12345');
+    var env = require( '../env' )();
+    env.settings.enable.should.containEql( 'pushover' );
+    env.extendedSettings.pushover.apiToken.should.equal( 'abc12345' );
 
     delete process.env.PUSHOVER_API_TOKEN;
-  });
+  } );
 
-  it('readENVTruthy ', function () {
+  it( 'readENVTruthy ', function () {
     process.env.INSECURE_USE_HTTP = 'true';
-    var env = require('../env')();
+    var env = require( '../env' )();
     env.insecureUseHttp.should.be.true();
     process.env.INSECURE_USE_HTTP = 'false';
-    env = require('../env')();
+    env = require( '../env' )();
     env.insecureUseHttp.should.be.false();
     process.env.INSECURE_USE_HTTP = 'not set ok, so use default value false';
-    env = require('../env')();
+    env = require( '../env' )();
     env.insecureUseHttp.should.be.false();
     delete process.env.INSECURE_USE_HTTP; // unset INSECURE_USE_HTTP
-    env = require('../env')();
+    process.env.SECURE_HSTS_HEADER = 'true';
+    env = require( '../env' )();
     env.insecureUseHttp.should.be.false(); // not defined should be false
+    env.secureHstsHeader.should.be.true();
   });
-
-});
+})