Merge pull request #165 from sasjs/issue-164

fix: helmet config on http mode
2025-12-10 11:24:35 +00:00 · 2022-05-10 14:01:40 +03:00
parent 2467616296 24d7f00c02
commit c61fec47c4
2 changed files with 5 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ sasjscore/
 certificates/
 executables/
 .env
+api/csp.config.json
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -35,9 +35,12 @@ export const cookieOptions = {
  maxAge: 24 * 60 * 60 * 1000 // 24 hours
 }

-const cspConfigJson = getEnvCSPDirectives(HELMET_CSP_CONFIG_PATH)
+const cspConfigJson: { [key: string]: string[] | null } = getEnvCSPDirectives(
+  HELMET_CSP_CONFIG_PATH
+)
 const coepFlag =
  HELMET_COEP === 'true' || HELMET_COEP === undefined ? true : false
+if (PROTOCOL === 'http') cspConfigJson['upgrade-insecure-requests'] = null

 /***********************************
 *         CSRF Protection         *