Fix upgradeInsecureRequests CSP directive

The `upgradeInsecureRequests` option of Helmets CSP middleware
was a boolean in Helmet 3, but with Helmet 4,
everything changed to lists.
This commit adjusts the addUpgradeUnsafeRequestsOptionTo
function accordingly.

Closes #1221

See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy

Signed-off-by: David Mehren <git@herrmehren.de>

1 files changed, 2 insertions, 2 deletions

diff --git a/lib/csp.js b/lib/csp.js
index 108f2a22..08efdd79 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -85,9 +85,9 @@ function getCspNonce (req, res) {
 
 function addUpgradeUnsafeRequestsOptionTo (directives) {
   if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
-    directives.upgradeInsecureRequests = true
+    directives.upgradeInsecureRequests = []
   } else if (config.csp.upgradeInsecureRequests === true) {
-    directives.upgradeInsecureRequests = true
+    directives.upgradeInsecureRequests = []
   }
 }