feat: CSP_DISABLE env option

2026-01-03 21:10:05 +00:00 · 2022-05-05 18:25:33 +00:00
parent 8065727b9b
commit dd3acce393
5 changed files with 1931 additions and 15531 deletions
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -25,7 +25,7 @@ const app = express()
 app.use(cookieParser())
 app.use(morgan('tiny'))

-const { MODE, CORS, WHITELIST, PROTOCOL } = process.env
+const { MODE, CORS, WHITELIST, PROTOCOL, CSP_DISABLE } = process.env

 export const cookieOptions = {
  secure: PROTOCOL === 'https',
@@ -41,16 +41,18 @@ export const csrfProtection = csrf({ cookie: cookieOptions })
 /***********************************
 *   Handle security and origin    *
 ***********************************/
-app.use(
-  helmet({
-    contentSecurityPolicy: {
-      directives: {
-        ...helmet.contentSecurityPolicy.getDefaultDirectives(),
-        'script-src': ["'self'", "'unsafe-inline'"]
+if (CSP_DISABLE !== 'true') {
+  app.use(
+    helmet({
+      contentSecurityPolicy: {
+        directives: {
+          ...helmet.contentSecurityPolicy.getDefaultDirectives(),
+          'script-src': ["'self'", "'unsafe-inline'"]
+        }
      }
-    }
-  })
-)
+    })
+  )
+}

 /***********************************
 *         Enabling CORS           *