refactor(server): use helmet default csp directives function

Fdawgs · Jan 11, 2021 · 2a45afa · 2a45afa
1 parent 4aea194
commit 2a45afa
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 12 deletions.
diff --git a/package.json b/package.json
@@ -83,6 +83,7 @@
 		"fastify-swagger": "^3.5.0",
 		"file-stream-rotator": "^0.5.7",
 		"fluent-json-schema": "^2.0.3",
+		"helmet": "^4.3.1",
 		"http-errors": "^1.8.0",
 		"mssql": "^6.3.1",
 		"pino": "^6.9.0"

diff --git a/src/server.js b/src/server.js
@@ -5,6 +5,7 @@ const path = require("path");
 // Import plugins
 const bearer = require("fastify-bearer-auth");
 const cors = require("fastify-cors");
+const helmConfig = require("helmet");
 const helmet = require("fastify-helmet");
 const swagger = require("fastify-swagger");
 const mssql = require("./plugins/mssql");
@@ -27,19 +28,12 @@ async function plugin(server, config) {
 		.register(helmet, (instance) => ({
 			contentSecurityPolicy: {
 				directives: {
-					defaultSrc: ["'self'"], // default source is mandatory
-					baseUri: ["'self'"],
-					blockAllMixedContent: [],
-					frameAncestors: ["'self'"],
-					fontSrc: ["'self'"],
-					formAction: ["'self'"],
-					imgSrc: ["'self'", "data:", "validator.swagger.io"],
-					objectSrc: ["'none'"],
-					scriptSrc: ["'self'"].concat(instance.swaggerCSP.script),
-					styleSrc: ["'self'", "https:"].concat(
+					...helmConfig.contentSecurityPolicy.getDefaultDirectives(),
+					"img-src": ["'self'", "data:", "validator.swagger.io"],
+					"script-src": ["'self'"].concat(instance.swaggerCSP.script),
+					"style-src": ["'self'", "https:"].concat(
 						instance.swaggerCSP.style
 					),
-					upgradeInsecureRequests: [],
 				},
 			},
 		}))

diff --git a/yarn.lock b/yarn.lock
@@ -3115,7 +3115,7 @@ hdr-histogram-percentiles-obj@^3.0.0:
   resolved "https://registry.yarnpkg.com/hdr-histogram-percentiles-obj/-/hdr-histogram-percentiles-obj-3.0.0.tgz#9409f4de0c2dda78e61de2d9d78b1e9f3cba283c"
   integrity sha512-7kIufnBqdsBGcSZLPJwqHT3yhk1QTsSlFsVD3kx5ixH/AlgBs9yM1q6DPhXZ8f8gtdqgh7N7/5btRLpQsS2gHw==
 
-helmet@^4.0.0:
+helmet@^4.0.0, helmet@^4.3.1:
   version "4.3.1"
   resolved "https://registry.yarnpkg.com/helmet/-/helmet-4.3.1.tgz#e374e2fb3f8da045d0233f13299b1fde6e59e4e1"
   integrity sha512-WsafDyKsIexB0+pUNkq3rL1rB5GVAghR68TP8ssM9DPEMzfBiluEQlVzJ/FEj6Vq2Ag3CNuxf7aYMjXrN0X49Q==