mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-25 11:16:31 -05:00
CSP: Upgrade insecure requests if possible
Config option; default is to only upgrade if usessl
This commit is contained in:
parent
ba183ce654
commit
5d2d3ec875
2 changed files with 8 additions and 2 deletions
5
app.js
5
app.js
|
@ -126,6 +126,11 @@ if (config.csp.enable) {
|
|||
directives[propertyName] = directive;
|
||||
}
|
||||
}
|
||||
if(config.csp.upgradeInsecureRequests === 'auto') {
|
||||
directives.upgradeInsecureRequests = config.usessl === 'true'
|
||||
} else {
|
||||
directives.upgradeInsecureRequests = config.csp.upgradeInsecureRequests === 'true'
|
||||
}
|
||||
app.use(helmet.contentSecurityPolicy({
|
||||
directives: directives
|
||||
}))
|
||||
|
|
|
@ -20,8 +20,9 @@ module.exports = {
|
|||
defaultSrc: ["'self'"],
|
||||
scriptSrc: ["'self'"],
|
||||
styleSrc: ["'self'", "'unsafe-inline'"],
|
||||
fontSrc: ["'self'"]
|
||||
}
|
||||
fontSrc: ["'self'"],
|
||||
},
|
||||
upgradeInsecureRequests: 'auto'
|
||||
},
|
||||
protocolusessl: false,
|
||||
usecdn: true,
|
||||
|
|
Loading…
Reference in a new issue