refactor: config.hsts -> config.helmet

this allows full config to the helmet library it will fallback to old behavior if helmet entry is not found in config file, but hsts entry is
2025-01-31 07:11:33 +00:00 · 2022-03-04 02:04:16 +07:00 · 2022-03-04 02:04:16 +07:00 · 2ddd97541e
commit 2ddd97541e
parent b80e2cca6e
2 changed files with 18 additions and 9 deletions
--- a/config.sample.js
+++ b/config.sample.js
@ -136,16 +136,19 @@ module.exports = {
  },

  /*
-    HTTP Strict Transport Security (HSTS).
-    This doesn't enforce HTTP users to switch to HTTPS.
-    It only tells HTTPS users to stick around (i.e. not to downgrade to HTTP).
-    When set, it's also added to HTTP responses because the header will be ignored anyway.
-    https://helmetjs.github.io/docs/hsts/#the-code
+    Helmet security headers.
+    https://github.com/helmetjs/helmet#how-it-works
  */
-  hsts: {
-    // maxAge: 63072000, // 2 years
-    // includeSubDomains: true,
-    // preload: true
+  helmet: {
+    contentSecurityPolicy: false,
+    /*
+    hsts: {
+      maxAge: 63072000, // 2 years
+      includeSubDomains: true,
+      preload: true
+    }
+    */
+    hsts: false
  },

  /*
--- a/lolisafe.js
+++ b/lolisafe.js
@ -32,6 +32,11 @@ const player = require('./routes/player')

 const db = require('knex')(config.database)

+// Helmet security headers
+if (config.helmet instanceof Object && Object.keys(config.helmet).length) {
+  safe.use(helmet(config.helmet))
+} else {
+  // Fallback to old behavior when the whole helmet option was not configurable from the config file
 safe.use(helmet({
  contentSecurityPolicy: false,
  hsts: false
@ -39,6 +44,7 @@ safe.use(helmet({

 if (config.hsts instanceof Object && Object.keys(config.hsts).length) {
  safe.use(helmet.hsts(config.hsts))
+  }
 }

 if (config.trustProxy) {