Added Content-Security-Policy header for improved security

bcgov · Jan 24, 2025 · 1f97997 · 1f97997
1 parent e5c03b7
commit 1f97997
Showing 1 changed file with 1 addition and 20 deletions.
diff --git a/app/app.js b/app/app.js
@@ -10,7 +10,7 @@ const middleware = require('./src/forms/common/middleware');
 const rateLimiter = require('./src/forms/common/middleware').apiKeyRateLimiter;
 const v1Router = require('./src/routes/v1');
 // Use Helmet to set the Content-Security-Policy (CSP) header
-const helmet = require('helmet');
+//const helmet = require('helmet');
 const DataConnection = require('./src/db/dataConnection');
 const dataConnection = new DataConnection();
 const { eventStreamService } = require('./src/components/eventStreamService');
@@ -29,25 +29,6 @@ let probeId;
 const app = express();
 // to enhance the app's security by controlling the resources
 // the browser is allowed to load.
-app.use(
-  helmet.contentSecurityPolicy({
-    directives: {
-      defaultSrc: ["'self'"],
-      // eslint-disable-next-line prettier/prettier
-      scriptSrc: ["'self'", 'https://dev.loginproxy.gov.bc.ca'], // Allow scripts from the login provider
-      styleSrc: ["'self'"],
-      imgSrc: ["'self'"],
-      // eslint-disable-next-line prettier/prettier
-      connectSrc: ["'self'", 'https://dev.loginproxy.gov.bc.ca'], // Allow connections to the login provider
-      fontSrc: ["'self'"],
-      objectSrc: ["'none'"],
-      // eslint-disable-next-line prettier/prettier
-      frameAncestors: ["'self'", 'https://dev.loginproxy.gov.bc.ca'], // Allow embedding if necessary
-      baseUri: ["'self'"],
-      formAction: ["'self'"],
-    },
-  })
-);
 
 app.use(compression());
 app.use(express.json({ limit: config.get('server.bodyLimit') }));