fix: helmet config on http mode

2025-12-10 11:24:35 +00:00 · 2022-05-10 10:04:01 +00:00
parent 2467616296
commit b0fdaaaa79
2 changed files with 3 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ sasjscore/
 certificates/
 executables/
 .env
+api/csp.config.json
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -35,9 +35,10 @@ export const cookieOptions = {
  maxAge: 24 * 60 * 60 * 1000 // 24 hours
 }

-const cspConfigJson = getEnvCSPDirectives(HELMET_CSP_CONFIG_PATH)
+const cspConfigJson: any = getEnvCSPDirectives(HELMET_CSP_CONFIG_PATH)
 const coepFlag =
  HELMET_COEP === 'true' || HELMET_COEP === undefined ? true : false
+if (PROTOCOL === 'http') cspConfigJson['upgrade-insecure-requests'] = null

 /***********************************
 *         CSRF Protection         *