add optimizations to security headers

groupclaes · Oct 25, 2023 · 3d86243 · 3d86243
1 parent 3438bcd
commit 3d86243
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/index.js b/index.js
@@ -76,7 +76,7 @@ module.exports = async function (appConfig) {
   }
 
   // https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
-  if (config.securityHeaders || true)
+  if (config.securityHeaders)
     fastify.addHook('onSend', async function (request, reply) {
       // To prevent browsers from performing MIME sniffing, and inappropriately interpreting responses as HTML.
       reply.header('X-Content-Type-Options', `nosniff`)
@@ -85,7 +85,7 @@ module.exports = async function (appConfig) {
       // To require connections over HTTPS and to protect against spoofed certificates.
       reply.header('Strict-Transport-Security', `max-age=15552000; preload`)
       // To protect against drag-and-drop style clickjacking attacks.
-      reply.header('Content-Security-Policy', `frame-ancestors 'none'`)
+      reply.header('Content-Security-Policy', config.securityHeaders.csp ?? `frame-ancestors 'none'`)
       /**
        * The headers below are only intended to provide additional security when responses are rendered as HTML. As such, if the API will never return HTML in responses, then these headers may not be necessary. However, if there is any uncertainty about the function of the headers, or the types of information that the API returns (or may return in future), then it is recommended to include them as part of a defence-in-depth approach.
        */
@@ -95,7 +95,7 @@ module.exports = async function (appConfig) {
         // This header used to be named Feature-Policy. When browsers heed this header, it is used to control browser features via directives. The example disables features with an empty allowlist for a number of permitted directive names. When you apply this header, verify that the directives are up-to-date and fit your needs. Please have a look at this article for a detailed explanation on how to control browser features.
         reply.header('Permissions-Policy', `fullscreen=*`)
         // The majority of CSP functionality only affects pages rendered as HTML.
-        reply.header('Content-Security-Policy', `default-src 'none'`)
+        reply.header('Content-Security-Policy', config.securityHeaders.csp ?? `default-src 'none'`)
       }
     })
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@groupclaes/fastify-elastic",
-  "version": "4.1.2",
+  "version": "4.1.3",
   "description": "GroupClaes's simple fastify wrapper function for simpler setup and elastic logging support",
   "main": "index.js",
   "scripts": {