Closed sfuerte closed 4 years ago
That's unexpected.
Could you include a code snippet that reproduces this problem?
Sure.
import "regenerator-runtime/runtime";
import Koa from "koa";
import koaBody from "koa-bodyparser";
import compression from "koa-compress";
import cors from "koa2-cors";
import { csp } from "helmet-csp";
import helmet from "koa-helmet";
import KoaRouter from "koa-router";
import session from "koa-session";
...
const app = new Koa(),
koaCorsOptions = {
"credentials": true,
"methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"origin": config.SERVER_URL
},
koaSessionOptions = {
"httpOnly": "true",
"signed": "true"
},
...
app.use(session(koaSessionOptions, app));
// Securing HTTP headers
app.use(cors(koaCorsOptions));
app.use(async (context, next) => {
// eslint-disable-next-line callback-return
await next();
context.set({
"Cache-Control": config.SERVER_HTTP_CACHE_CONTROL || "no-store, no-cache, must-revalidate",
"Pragma": config.SERVER_HTTP_PRAGMA || "no-cache",
"Strict-Transport-Security": config.SERVER_HTTP_STRICT_TRANSPORT_SECURITY || "max-age=15552000; includeSubDomains",
"X-Content-Type-Options": config.SERVER_HTTP_X_CONTENT_TYPE_OPTIONS || "nosniff",
"X-Download-Options": config.SERVER_HTTP_X_DOWNLOAD_OPTIONS || "noopen",
"X-Frame-Options": config.SERVER_HTTP_X_FRAME_OPTIONS || "deny",
"X-XSS-Protection": config.SERVER_HTTP_X_XSS_PROTECTION || "1; mode=block"
});
context.remove("X-Powered-By");
});
app.use(csp({
"browserSniff": false,
"directives": {
"defaultSrc": ["'self'"],
"scriptSrc": ["'self'", "'unsafe-inline'", "'sha256-...'"]
}
}));
...
all dependencies are the latest as of today
It looks like you're using Koa which this module does not support. Could you achieve the same thing with koa-helmet
?
Sure, will do that. Thanks
Getting the following error when
browserSniff
is true:and at another line with
sniff
is off:"helmet-csp": "^2.9.4"