swagger - Githubissues

helmetjs / helmet

Help secure Express apps with various HTTP headers

https://helmetjs.github.io/

MIT License

10.18k stars 367 forks source link

swagger #455

Closed FDiskas closed 5 months ago

FDiskas commented 5 months ago

To properly load swagger what settings should be used?

helmet({
      contentSecurityPolicy: {
        directives: {
          defaultSrc: [`'self'`],
          scriptSrcElem: [
            `cdn.jsdelivr.net`,
            `'sha256-TcUB1mzXiQO4GxpTRZ0EMpOXKMU3u+n/q1WrgVIcs1I='`,
          ],
          styleSrc: [`'self'`, `unsafe-inline`],
          styleSrcElem: ['*', `'unsafe-inline'`],
          fontSrc: ['fonts.gstatic.com', 'https://*.gstatic.com', 'data:'],
        },
      },
    }),

EvanHahn commented 5 months ago

Not sure!

This is more of a Content Security Policy question than a Helmet question. A quick web search gave these instructions which might help?

I'm going to close this issue because I don't think there's anything wrong with Helmet, but let me know if that's wrong and I'll reopen.

FDiskas commented 5 months ago

@EvanHahn - thank you

For users who landed here from Google - here is working CSP config for swagger

helmet({
      contentSecurityPolicy: {
        directives: {
          defaultSrc: [`'self'`],
          imgSrc: [`data:`, `https:`],
          objectSrc: [`'none'`],
          scriptSrc: [
            `cdn.jsdelivr.net`,
            `stackpath.bootstrapcdn.com`,
            `'self'`,
            `'unsafe-inline'`,
          ],
          styleSrc: [
            `fonts.googleapis.com`,
            `stackpath.bootstrapcdn.com`,
            `'self'`,
            `'unsafe-inline'`,
          ],
        },
      },
    }),