helmetjs / csp

The source for this module has moved to the Helmet repository.
https://github.com/helmetjs/helmet/
MIT License
222 stars 38 forks source link

res.setHeader is not a function #95

Closed sfuerte closed 4 years ago

sfuerte commented 4 years ago

Getting the following error when browserSniff is true:

  TypeError: res.setHeader is not a function
      at /app/node_modules/helmet-csp/dist/index.js:58:21
      at Array.forEach (<anonymous>)
      at csp (/app/node_modules/helmet-csp/dist/index.js:53:24)
      at dispatch (/app/node_modules/koa-compose/index.js:42:32)
      at _callee$ (/app/dist/server.js:53:11)
      at tryCatch (/app/node_modules/regenerator-runtime/runtime.js:45:40)
      at Generator.invoke [as _invoke] (/app/node_modules/regenerator-runtime/runtime.js:271:22)
      at Generator.prototype.<computed> [as next] (/app/node_modules/regenerator-runtime/runtime.js:97:21)
      at tryCatch (/app/node_modules/regenerator-runtime/runtime.js:45:40)
      at invoke (/app/node_modules/regenerator-runtime/runtime.js:135:20)
      at /app/node_modules/regenerator-runtime/runtime.js:170:11
      at new Promise (<anonymous>)
      at callInvokeWithMethodAndArg (/app/node_modules/regenerator-runtime/runtime.js:169:16)
      at AsyncIterator.enqueue [as _invoke] (/app/node_modules/regenerator-runtime/runtime.js:192:13)
      at AsyncIterator.prototype.<computed> [as next] (/app/node_modules/regenerator-runtime/runtime.js:97:21)
      at Object.exports.async (/app/node_modules/regenerator-runtime/runtime.js:216:14)
      at _callee (/app/dist/server.js:51:73)
      at dispatch (/app/node_modules/koa-compose/index.js:42:32)
      at cors (/app/node_modules/koa2-cors/dist/index.js:91:15)
      at dispatch (/app/node_modules/koa-compose/index.js:42:32)
      at session (/app/node_modules/koa-session/index.js:41:13)
      at dispatch (/app/node_modules/koa-compose/index.js:42:32)

and at another line with sniff is off:

  TypeError: res.setHeader is not a function
      at /app/node_modules/helmet-csp/dist/index.js:76:25

"helmet-csp": "^2.9.4"

EvanHahn commented 4 years ago

That's unexpected.

Could you include a code snippet that reproduces this problem?

sfuerte commented 4 years ago

Sure.

import "regenerator-runtime/runtime";
import Koa from "koa";
import koaBody from "koa-bodyparser";
import compression from "koa-compress";
import cors from "koa2-cors";
import { csp } from "helmet-csp";
import helmet from "koa-helmet";
import KoaRouter from "koa-router";
import session from "koa-session";

...
const app = new Koa(),
    koaCorsOptions = {
        "credentials": true,
        "methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
        "origin": config.SERVER_URL
    },
    koaSessionOptions = {
        "httpOnly": "true",
        "signed": "true"
    },
...
app.use(session(koaSessionOptions, app));

// Securing HTTP headers
app.use(cors(koaCorsOptions));
app.use(async (context, next) => {
    // eslint-disable-next-line callback-return
    await next();
    context.set({
        "Cache-Control": config.SERVER_HTTP_CACHE_CONTROL || "no-store, no-cache, must-revalidate",
        "Pragma": config.SERVER_HTTP_PRAGMA || "no-cache",
        "Strict-Transport-Security": config.SERVER_HTTP_STRICT_TRANSPORT_SECURITY || "max-age=15552000; includeSubDomains",
        "X-Content-Type-Options": config.SERVER_HTTP_X_CONTENT_TYPE_OPTIONS || "nosniff",
        "X-Download-Options": config.SERVER_HTTP_X_DOWNLOAD_OPTIONS || "noopen",
        "X-Frame-Options": config.SERVER_HTTP_X_FRAME_OPTIONS || "deny",
        "X-XSS-Protection": config.SERVER_HTTP_X_XSS_PROTECTION || "1; mode=block"
    });
    context.remove("X-Powered-By");
});

app.use(csp({
    "browserSniff": false,
    "directives": {
        "defaultSrc": ["'self'"],
        "scriptSrc": ["'self'", "'unsafe-inline'", "'sha256-...'"]
    }
}));
...
sfuerte commented 4 years ago

all dependencies are the latest as of today image

EvanHahn commented 4 years ago

It looks like you're using Koa which this module does not support. Could you achieve the same thing with koa-helmet?

sfuerte commented 4 years ago

Sure, will do that. Thanks