Fix upgradeInsecureRequests CSP directive

The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren <git@herrmehren.de>
2024-11-22 01:36:29 -05:00 · 2021-05-04 11:10:53 +02:00 · 2021-05-04 11:10:53 +02:00 · 0b61f48129
commit 0b61f48129
parent e6d4ac5f9a
1 changed files with 2 additions and 2 deletions
--- a/lib/csp.js
+++ b/lib/csp.js
@ -85,9 +85,9 @@ function getCspNonce (req, res) {

 function addUpgradeUnsafeRequestsOptionTo (directives) {
  if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
-    directives.upgradeInsecureRequests = true
+    directives.upgradeInsecureRequests = []
  } else if (config.csp.upgradeInsecureRequests === true) {
-    directives.upgradeInsecureRequests = true
+    directives.upgradeInsecureRequests = []
  }
 }