From 3d86243c8dec5dafd90b2829b781a10b7b9d18b5 Mon Sep 17 00:00:00 2001
From: Jamie Vangeysel <32323785+JamieVangeysel@users.noreply.github.com>
Date: Wed, 25 Oct 2023 15:53:36 +0200
Subject: [PATCH] add optimizations to security headers

---
 index.js          | 6 +++---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/index.js b/index.js
index 94c43ca..e35ba82 100644
--- a/index.js
+++ b/index.js
@@ -76,7 +76,7 @@ module.exports = async function (appConfig) {
   }
 
   // https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
-  if (config.securityHeaders || true)
+  if (config.securityHeaders)
     fastify.addHook('onSend', async function (request, reply) {
       // To prevent browsers from performing MIME sniffing, and inappropriately interpreting responses as HTML.
       reply.header('X-Content-Type-Options', `nosniff`)
@@ -85,7 +85,7 @@ module.exports = async function (appConfig) {
       // To require connections over HTTPS and to protect against spoofed certificates.
       reply.header('Strict-Transport-Security', `max-age=15552000; preload`)
       // To protect against drag-and-drop style clickjacking attacks.
-      reply.header('Content-Security-Policy', `frame-ancestors 'none'`)
+      reply.header('Content-Security-Policy', config.securityHeaders.csp ?? `frame-ancestors 'none'`)
       /**
        * The headers below are only intended to provide additional security when responses are rendered as HTML. As such, if the API will never return HTML in responses, then these headers may not be necessary. However, if there is any uncertainty about the function of the headers, or the types of information that the API returns (or may return in future), then it is recommended to include them as part of a defence-in-depth approach.
        */
@@ -95,7 +95,7 @@ module.exports = async function (appConfig) {
         // This header used to be named Feature-Policy. When browsers heed this header, it is used to control browser features via directives. The example disables features with an empty allowlist for a number of permitted directive names. When you apply this header, verify that the directives are up-to-date and fit your needs. Please have a look at this article for a detailed explanation on how to control browser features.
         reply.header('Permissions-Policy', `fullscreen=*`)
         // The majority of CSP functionality only affects pages rendered as HTML.
-        reply.header('Content-Security-Policy', `default-src 'none'`)
+        reply.header('Content-Security-Policy', config.securityHeaders.csp ?? `default-src 'none'`)
       }
     })
 
diff --git a/package-lock.json b/package-lock.json
index 1c148e2..544cc59 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@groupclaes/fastify-elastic",
-  "version": "4.1.2",
+  "version": "4.1.3",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@groupclaes/fastify-elastic",
-      "version": "4.1.2",
+      "version": "4.1.3",
       "license": "MIT",
       "dependencies": {
         "@fastify/cookie": "^9.0.4",
diff --git a/package.json b/package.json
index 92eb491..dc6e2bf 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@groupclaes/fastify-elastic",
-  "version": "4.1.2",
+  "version": "4.1.3",
   "description": "GroupClaes's simple fastify wrapper function for simpler setup and elastic logging support",
   "main": "index.js",
   "scripts": {