Skip to content

Commit

Permalink
Stop setting Expect-CT by default
Browse files Browse the repository at this point in the history
See [#310][310].

[310]: #310
  • Loading branch information
EvanHahn committed Aug 26, 2022
1 parent 3874c6b commit c47782d
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 4 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

- **Breaking:** Where possible, increase TypeScript strictness around some strings. Only affects TypeScript users. See [#369](https://github.com/helmetjs/helmet/issues/369)
- **Breaking:** `helmet.contentSecurityPolicy` no longer sets `block-all-mixed-content` directive by default
- **Breaking:** `helmet.expectCt` is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See [#310](https://github.com/helmetjs/helmet/issues/310)
- `helmet.frameguard` no longer offers a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed

### Removed
Expand Down
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' http
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Expect-CT: max-age=0
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
Expand Down Expand Up @@ -373,6 +372,8 @@ Expect-CT: max-age=0

`helmet.expectCt` sets the `Expect-CT` header which helps mitigate misissued SSL certificates. See [MDN's article on Certificate Transparency](https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency) and the [`Expect-CT` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT) for more.

`Expect-CT` is no longer useful for new browsers in 2022. Therefore, `helmet.expectCt` is deprecated and will be removed in the next major version of Helmet. However, it can still be used in this version of Helmet.

`options.maxAge` is the number of seconds to expect Certificate Transparency. It defaults to `0`.

`options.enforce` is a boolean. If `true`, the user agent (usually a browser) should refuse future connections that violate its Certificate Transparency policy. Defaults to `false`.
Expand Down
2 changes: 1 addition & 1 deletion index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ function getMiddlewareFunctionsFromOptions(
result.push(xDnsPrefetchControl(...xDnsPrefetchControlArgs));
}

const expectCtArgs = getArgs(options.expectCt);
const expectCtArgs = options.expectCt && getArgs(options.expectCt);
if (expectCtArgs) {
result.push(expectCt(...expectCtArgs));
}
Expand Down
15 changes: 13 additions & 2 deletions test/index.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ import xXssProtection from "../middlewares/x-xss-protection";
describe("helmet", () => {
const topLevel = helmet.default;

it("includes all middleware with their default options", async () => {
it("includes all middleware, except Expect-CT, with their default options", async () => {
// NOTE: This test relies on the CSP object being ordered a certain way,
// which could change (and be non-breaking). If that becomes a problem,
// we should update this test to be more robust.
Expand All @@ -34,7 +34,8 @@ describe("helmet", () => {
"cross-origin-embedder-policy": "require-corp",
"cross-origin-opener-policy": "same-origin",
"cross-origin-resource-policy": "same-origin",
"expect-ct": "max-age=0",
// In Helmet 7, we can remove this Expect-CT assertion.
"expect-ct": null,
"origin-agent-cluster": "?1",
"referrer-policy": "no-referrer",
"strict-transport-security": "max-age=15552000; includeSubDomains",
Expand All @@ -61,6 +62,16 @@ describe("helmet", () => {
});
});

// In Helmet 7, this test should be removed.
it("allows Expect-CT to be enabled", async () => {
await check(topLevel({ expectCt: true }), {
"expect-ct": "max-age=0",
});
await check(topLevel({ expectCt: { maxAge: 123 } }), {
"expect-ct": "max-age=123",
});
});

it("works with all default middlewares disabled", async () => {
await check(
topLevel({
Expand Down

0 comments on commit c47782d

Please sign in to comment.