CSP: Upgrade insecure requests if possible

Config option; default is to only upgrade if usessl
author: Literallie 2017-10-18 17:45:57 +0200
committer: Literallie 2017-10-22 00:03:45 +0200
commit: 5d2d3ec875310de07fe79ae605dfbc0f1df585c5 (patch)
tree: 3d2c64e575d76a6ad4e6be54f1f5a21009f7d926 /app.js
parent: ba183ce6543f102ae635502a0da0ac7c923cc97a (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/app.js b/app.js
index 54ec6cf7..8af029e7 100644
--- a/app.js
+++ b/app.js
@@ -126,6 +126,11 @@ if (config.csp.enable) {
       directives[propertyName] = directive;
     }
   }
+  if(config.csp.upgradeInsecureRequests === 'auto') {
+    directives.upgradeInsecureRequests = config.usessl === 'true'
+  } else {
+    directives.upgradeInsecureRequests = config.csp.upgradeInsecureRequests === 'true'
+  }
   app.use(helmet.contentSecurityPolicy({
     directives: directives
   }))
author	Literallie	2017-10-18 17:45:57 +0200
committer	Literallie	2017-10-22 00:03:45 +0200
commit	5d2d3ec875310de07fe79ae605dfbc0f1df585c5 (patch)
tree	3d2c64e575d76a6ad4e6be54f1f5a21009f7d926 /app.js
parent	ba183ce6543f102ae635502a0da0ac7c923cc97a (diff)