From 5d2d3ec875310de07fe79ae605dfbc0f1df585c5 Mon Sep 17 00:00:00 2001 From: Literallie Date: Wed, 18 Oct 2017 17:45:57 +0200 Subject: [PATCH] CSP: Upgrade insecure requests if possible Config option; default is to only upgrade if usessl --- app.js | 5 +++++ lib/config/default.js | 5 +++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app.js b/app.js index 54ec6cf7e..8af029e73 100644 --- a/app.js +++ b/app.js @@ -126,6 +126,11 @@ if (config.csp.enable) { directives[propertyName] = directive; } } + if(config.csp.upgradeInsecureRequests === 'auto') { + directives.upgradeInsecureRequests = config.usessl === 'true' + } else { + directives.upgradeInsecureRequests = config.csp.upgradeInsecureRequests === 'true' + } app.use(helmet.contentSecurityPolicy({ directives: directives })) diff --git a/lib/config/default.js b/lib/config/default.js index e207dfc62..217d11d03 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -20,8 +20,9 @@ module.exports = { defaultSrc: ["'self'"], scriptSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], - fontSrc: ["'self'"] - } + fontSrc: ["'self'"], + }, + upgradeInsecureRequests: 'auto' }, protocolusessl: false, usecdn: true,