CSP: Upgrade insecure requests if possible

Config option; default is to only upgrade if usessl
This commit is contained in:
Literallie 2017-10-18 17:45:57 +02:00
parent ba183ce654
commit 5d2d3ec875
No known key found for this signature in database
GPG key ID: 7BE463C902ED152C
2 changed files with 8 additions and 2 deletions

5
app.js
View file

@ -126,6 +126,11 @@ if (config.csp.enable) {
directives[propertyName] = directive; directives[propertyName] = directive;
} }
} }
if(config.csp.upgradeInsecureRequests === 'auto') {
directives.upgradeInsecureRequests = config.usessl === 'true'
} else {
directives.upgradeInsecureRequests = config.csp.upgradeInsecureRequests === 'true'
}
app.use(helmet.contentSecurityPolicy({ app.use(helmet.contentSecurityPolicy({
directives: directives directives: directives
})) }))

View file

@ -20,8 +20,9 @@ module.exports = {
defaultSrc: ["'self'"], defaultSrc: ["'self'"],
scriptSrc: ["'self'"], scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"], styleSrc: ["'self'", "'unsafe-inline'"],
fontSrc: ["'self'"] fontSrc: ["'self'"],
} },
upgradeInsecureRequests: 'auto'
}, },
protocolusessl: false, protocolusessl: false,
usecdn: true, usecdn: true,