unleash.unleash/lib/middleware/secure-headers.js

const helmet = require('helmet');

module.exports = function(config) {
    if (config.secureHeaders) {
        return helmet({
            hsts: {
                maxAge: 63072000,
                includeSubDomains: true,
                preload: true,
            },
            contentSecurityPolicy: {
                directives: {
                    defaultSrc: ["'self'"],
                    fontSrc: [
                        "'self'",
                        'fonts.googleapis.com',
                        'fonts.gstatic.com',
                    ],
                    styleSrc: [
                        "'self'",
                        "'unsafe-inline'",
                        'fonts.googleapis.com',
                        'fonts.gstatic.com',
                        'data:',
                    ],
                    scriptSrc: ["'self'"],
                    imgSrc: ["'self'", 'data:', 'gravatar.com'],
                },
            },
        });
    }
    return (req, res, next) => {
        next();
    };
};
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`const helmet = require('helmet');`

			`module.exports = function(config) {`
fix: add secureHeaders option for HSTS 2020-10-01 21:47:40 +02:00			`if (config.secureHeaders) {`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`return helmet({`
fix: update helmet config 2020-09-18 11:30:30 +02:00			`hsts: {`
			`maxAge: 63072000,`
			`includeSubDomains: true,`
			`preload: true,`
			`},`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`contentSecurityPolicy: {`
			`directives: {`
fix: add secureHeaders option for HSTS 2020-10-01 21:47:40 +02:00			`defaultSrc: ["'self'"],`
			`fontSrc: [`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`"'self'",`
			`'fonts.googleapis.com',`
			`'fonts.gstatic.com',`
			`],`
fix: lax helmet csp config for styles. Required to support react-selct, see https://github.com/JedWatson/react-select/issues/2917 2020-09-07 09:23:59 +02:00			`styleSrc: [`
			`"'self'",`
fix: helmet wap csp in quotes 2020-09-07 09:51:30 +02:00			`"'unsafe-inline'",`
fix: lax helmet csp config for styles. Required to support react-selct, see https://github.com/JedWatson/react-select/issues/2917 2020-09-07 09:23:59 +02:00			`'fonts.googleapis.com',`
			`'fonts.gstatic.com',`
			`'data:',`
			`],`
fix: add secureHeaders option for HSTS 2020-10-01 21:47:40 +02:00			`scriptSrc: ["'self'"],`
			`imgSrc: ["'self'", 'data:', 'gravatar.com'],`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`},`
			`},`
			`});`
			`}`
			`return (req, res, next) => {`
			`next();`
			`};`
			`};`