fix: re-disable new default helmet modules

this is to align with original behavior pre-Helmet v5 update this only changes sample config file, and fallback values when helmet option is missing from config file otherwise decide at your own discretion (refer to the comments)
2025-01-18 17:21:33 +00:00 · 2022-04-20 18:37:10 +07:00 · 2022-04-20 18:37:10 +07:00 · f6a86226a2
commit f6a86226a2
parent 9af52e068d
2 changed files with 16 additions and 2 deletions
--- a/config.sample.js
+++ b/config.sample.js
@ -141,6 +141,14 @@ module.exports = {
  */
  helmet: {
    contentSecurityPolicy: false,
+    /*
+      Cross-Origin-* headers were enabled by default since Helmet v5.0.0
+      However, for installations that use own http server for files (nginx, etc.),
+      these headers also need to be configured in there.
+    */
+    crossOriginEmbedderPolicy: false,
+    crossOriginOpenerPolicy: false,
+    crossOriginResourcePolicy: false,
    /*
    hsts: {
      maxAge: 63072000, // 2 years
@ -148,7 +156,9 @@ module.exports = {
      preload: true
    }
    */
-    hsts: false
+    hsts: false,
+    // This was also enabled by default since Helmet v5.0.0
+    originAgentCluster: false
  },

  /*
--- a/lolisafe.js
+++ b/lolisafe.js
@ -60,7 +60,11 @@ if (config.helmet instanceof Object && Object.keys(config.helmet).length) {
  // Fallback to old behavior when the whole helmet option was not configurable from the config file
  safe.use(helmet({
    contentSecurityPolicy: false,
-    hsts: false
+    crossOriginEmbedderPolicy: false,
+    crossOriginOpenerPolicy: false,
+    crossOriginResourcePolicy: false,
+    hsts: false,
+    originAgentCluster: false
  }))

  if (config.hsts instanceof Object && Object.keys(config.hsts).length) {