const helmet = require('helmet'); module.exports = function(config) { if (config.secureHeaders) { return helmet({ hsts: { maxAge: 63072000, includeSubDomains: true, preload: true, }, contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], fontSrc: [ "'self'", 'fonts.googleapis.com', 'fonts.gstatic.com', ], styleSrc: [ "'self'", "'unsafe-inline'", 'fonts.googleapis.com', 'fonts.gstatic.com', 'data:', ], scriptSrc: ["'self'"], imgSrc: ["'self'", 'data:', 'gravatar.com'], }, }, }); } return (req, res, next) => { next(); }; };