summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLiterallie2017-10-18 17:45:57 +0200
committerLiterallie2017-10-22 00:03:45 +0200
commit5d2d3ec875310de07fe79ae605dfbc0f1df585c5 (patch)
tree3d2c64e575d76a6ad4e6be54f1f5a21009f7d926
parentba183ce6543f102ae635502a0da0ac7c923cc97a (diff)
CSP: Upgrade insecure requests if possible
Config option; default is to only upgrade if usessl
Diffstat (limited to '')
-rw-r--r--app.js5
-rw-r--r--lib/config/default.js5
2 files changed, 8 insertions, 2 deletions
diff --git a/app.js b/app.js
index 54ec6cf7..8af029e7 100644
--- a/app.js
+++ b/app.js
@@ -126,6 +126,11 @@ if (config.csp.enable) {
directives[propertyName] = directive;
}
}
+ if(config.csp.upgradeInsecureRequests === 'auto') {
+ directives.upgradeInsecureRequests = config.usessl === 'true'
+ } else {
+ directives.upgradeInsecureRequests = config.csp.upgradeInsecureRequests === 'true'
+ }
app.use(helmet.contentSecurityPolicy({
directives: directives
}))
diff --git a/lib/config/default.js b/lib/config/default.js
index e207dfc6..217d11d0 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -20,8 +20,9 @@ module.exports = {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
- fontSrc: ["'self'"]
- }
+ fontSrc: ["'self'"],
+ },
+ upgradeInsecureRequests: 'auto'
},
protocolusessl: false,
usecdn: true,