5

I have tried this using Helmet 4.4.1 version both of them below sets to true for upgrade-insecure-requests CSP

upgradeInsecureRequests: [] and upgradeInsecureRequests: ['true']

Which of the above format is correct to use?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
hitendra
  • 159
  • 2
  • 9

4 Answers4

2

This works for me:

app.use(
        helmet.contentSecurityPolicy({
            directives: {
                "script-src": ["'self'"],
                upgradeInsecureRequests: null
            },
        })
    );

Setting upgradeInsecureRequests to null:

upgradeInsecureRequests: null
Oscar Escamilla
  • 21
  • 2
1

This worked for me:

defaultDirectives = helmet.contentSecurityPolicy.getDefaultDirectives();
delete defaultDirectives['upgrade-insecure-requests'];

app.use( helmet() );
app.use(helmet.contentSecurityPolicy({
  directives: {
    ...defaultDirectives,
  },
}));

The delete part removes the upgrade-insecure-requests key in the defaultDirectives object.

Nico Serrano
  • 577
  • 4
  • 14
1

After few hours of trial and errors, I've got it working. I did it like this:

const defaultCspOptions = helmet.contentSecurityPolicy.getDefaultDirectives();
delete defaultCspOptions["upgrade-insecure-requests"]

app.use(helmet({
  contentSecurityPolicy: {
    useDefaults: false,
    directives: { ...defaultCspOptions },
  })
)

Almost like Nico Serrano's answer, yes. In fact it inspired this. I just add useDefaults: false. Otherwise, even though the 'upgrade-insecure-requests' property is no longer exists in the defaultCspOptions, the helmet automatically reappend any missing property with the default value. Rendering the delete part useless.

yaputra jordi
  • 513
  • 3
  • 8
0

Solved: we can simply add upgradeInsecureRequests: []

hitendra
  • 159
  • 2
  • 9
  • 1
    This sets it to `true`, but how can I set it to `false`? – Miaucl May 11 '21 at 09:17
  • 1
    In that case just don't provide this prop i.e upgradeInsecureRequests – hitendra May 11 '21 at 16:45
  • the problem is now that the browser set `upgrade-insecure-requests` by default - but internally i need to mix http inside https and i trust the server because it's mine - so, how to disable it ? – Ricky Levi Dec 14 '21 at 09:54