luneski/mqtt-explorer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix blank page on IP access by properly removing upgrade-insecure-requests CSP directive (#1030)

Browse Source 
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: thomasnordquist <7721625+thomasnordquist@users.noreply.github.com>
This commit is contained in:
Copilot
2026-01-27 00:17:35 +01:00
committed by GitHub
parent d392fe7342
commit 3b0458a78b
1 changed files with 25 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/server.ts
View File

@@ -78,17 +78,34 @@ async function startServer() {
const app = express() const app = express()
// Apply security headers with helmet // Apply security headers with helmet
// Get Helmet's default CSP directives and remove upgrade-insecure-requests
// This ensures the directive is never added, even in edge cases
// Create a copy to avoid mutating Helmet's defaults
const defaultCspDirectives = { ...helmet.contentSecurityPolicy.getDefaultDirectives() }
delete defaultCspDirectives['upgrade-insecure-requests']
// Build custom CSP directives, overriding defaults as needed
const cspDirectives = {
...defaultCspDirectives,
// Override default-src from defaults
'default-src': ["'self'"],
// Override script-src for webpack
'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"], // unsafe-eval required for webpack runtime
// Override style-src for Material-UI
'style-src': ["'self'", "'unsafe-inline'"], // Required for Material-UI
// Add WebSocket support
'connect-src': ["'self'", 'ws:', 'wss:'], // Allow WebSocket connections
// Allow data URIs for images
'img-src': ["'self'", 'data:', 'blob:'],
// Only add upgrade-insecure-requests if explicitly enabled via env var
...(enableUpgradeInsecure && { 'upgrade-insecure-requests': [] }),
}
app.use( app.use(
helmet({ helmet({
contentSecurityPolicy: { contentSecurityPolicy: {
directives: { useDefaults: false, // Don't merge with Helmet's defaults to ensure full control
defaultSrc: ["'self'"], directives: cspDirectives,
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"], // unsafe-eval required for webpack runtime
styleSrc: ["'self'", "'unsafe-inline'"], // Required for Material-UI
connectSrc: ["'self'", 'ws:', 'wss:'], // Allow WebSocket connections
imgSrc: ["'self'", 'data:', 'blob:'],
upgradeInsecureRequests: enableUpgradeInsecure ? [] : null, // Only enable when behind HTTPS reverse proxy
},
}, },
hsts: isProduction hsts: isProduction
? { ? {