You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is specifically a problem when Helmet is looking for fields on the request that a Node request doesn't have, like request.secure.
You can see this with the hsts() middleware which doesn't send the Strict-Transport-Security header since ctx.req.secure is always undefined. Passing in ctx.request fixes this specific issue, but there might not be a robust solution at hand since Koa request objects aren't guaranteed to be the same as Express request objects.
For the hsts() middleware, an easy workaround is to configure the middleware with { force: ctx.request.secure } but it's a little fragile that Helmet's logic for whether to send the HSTS response header needs to be replicated.
The text was updated successfully, but these errors were encountered:
Several changes:
* Updates Helmet to 3.x major
* Passes along req.secure so the helmet-hsts module knows if the
request is https or not (it expects an express object)
Closes#25, closes#18
* Updates documentation for req.secure change
* Switches to use standard.js
* Removes unused devDependencies
This is specifically a problem when Helmet is looking for fields on the request that a Node request doesn't have, like
request.secure
.You can see this with the
hsts()
middleware which doesn't send theStrict-Transport-Security
header sincectx.req.secure
is always undefined. Passing inctx.request
fixes this specific issue, but there might not be a robust solution at hand since Koa request objects aren't guaranteed to be the same as Express request objects.For the
hsts()
middleware, an easy workaround is to configure the middleware with{ force: ctx.request.secure }
but it's a little fragile that Helmet's logic for whether to send the HSTS response header needs to be replicated.The text was updated successfully, but these errors were encountered: