Skip to content

Commit

Permalink
Remove Expect-CT middleware
Browse files Browse the repository at this point in the history 
See [#378](#378).
  • Loading branch information
@EvanHahn
EvanHahn committed May 6, 2023
1 parent 6f961d3 commit 38d7f60
Show file tree
Hide file tree
Showing 9 changed files with 2 additions and 274 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Expand Up @@ -5,6 +5,7 @@
### Removed

- **Breaking:** Drop support for Node 14 and 15. Node 16+ is now required
- **Breaking:** `Expect-CT` is no longer part of Helmet. If you still need it, you can use the [`expect-ct` package](https://www.npmjs.com/package/expect-ct). See [#378](https://github.com/helmetjs/helmet/issues/378)

### 6.2.0 - 2023-05-06

Expand Down
40 changes: 0 additions & 40 deletions README.md
View file
Expand Up @@ -30,7 +30,6 @@ By default, Helmet sets the following headers:
- [`Cross-Origin-Embedder-Policy`](#cross-origin-embedder-policy): Controls cross-origin loading of resources, like images
- [`Cross-Origin-Opener-Policy`](#cross-origin-opener-policy): Helps process-isolate your page
- [`Cross-Origin-Resource-Policy`](#cross-origin-resource-policy): Blocks others from loading your resources cross-origin
- [`Expect-CT`](#expect-ct): Helps notice misissued SSL certificates
- [`Origin-Agent-Cluster`](#origin-agent-cluster): Changes process isolation to be origin-based
- [`Referrer-Policy`](#referrer-policy): Controls the [`Referer`][Referer] header
- [`Strict-Transport-Security`](#strict-transport-security): Tells browsers to prefer HTTPS
Expand Down Expand Up @@ -288,45 +287,6 @@ You can use this as standalone middleware with `app.use(helmet.crossOriginResour

</details>

<details id="expect-ct">
<summary><code>Expect-CT</code></summary>

Default:

```http
Expect-CT: max-age=0
```

Helmet sets the `Expect-CT` header which helps mitigate misissued SSL certificates. See [MDN's article on Certificate Transparency](https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency) and the [`Expect-CT` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT) for more.

`Expect-CT` is no longer useful for new browsers in 2022. Therefore, this header is deprecated and will be removed in the next major version of Helmet. However, it can still be used in this version of Helmet.

`maxAge` is the number of seconds to expect Certificate Transparency. It defaults to `0`.

`enforce` is a boolean. If `true`, the user agent (usually a browser) should refuse future connections that violate its Certificate Transparency policy. Defaults to `false`.

`reportUri` is a string. If set, complying user agents will report Certificate Transparency failures to this URL. Unset by default.

```js
// Sets "Expect-CT: max-age=86400"
app.use(
helmet.expectCt({
maxAge: 86400,
})
);

// Sets "Expect-CT: max-age=86400, enforce, report-uri="https://example.com/report"
app.use(
helmet.expectCt({
maxAge: 86400,
enforce: true,
reportUri: "https://example.com/report",
})
);
```

</details>

<details id="origin-agent-cluster">
<summary><code>Origin-Agent-Cluster</code></summary>

Expand Down
17 changes: 0 additions & 17 deletions index.ts
View file
Expand Up @@ -11,7 +11,6 @@ import crossOriginOpenerPolicy, {
import crossOriginResourcePolicy, {
CrossOriginResourcePolicyOptions,
} from "./middlewares/cross-origin-resource-policy/index.js";
import expectCt, { ExpectCtOptions } from "./middlewares/expect-ct/index.js";
import originAgentCluster from "./middlewares/origin-agent-cluster/index.js";
import referrerPolicy, {
ReferrerPolicyOptions,
Expand All @@ -38,7 +37,6 @@ export type HelmetOptions = {
crossOriginEmbedderPolicy?: CrossOriginEmbedderPolicyOptions | boolean;
crossOriginOpenerPolicy?: CrossOriginOpenerPolicyOptions | boolean;
crossOriginResourcePolicy?: CrossOriginResourcePolicyOptions | boolean;
expectCt?: ExpectCtOptions | boolean;
originAgentCluster?: boolean;
referrerPolicy?: ReferrerPolicyOptions | boolean;
} & (
Expand Down Expand Up @@ -113,7 +111,6 @@ interface Helmet {
crossOriginEmbedderPolicy: typeof crossOriginEmbedderPolicy;
crossOriginOpenerPolicy: typeof crossOriginOpenerPolicy;
crossOriginResourcePolicy: typeof crossOriginResourcePolicy;
expectCt: typeof expectCt;
originAgentCluster: typeof originAgentCluster;
referrerPolicy: typeof referrerPolicy;
strictTransportSecurity: typeof strictTransportSecurity;
Expand Down Expand Up @@ -189,18 +186,6 @@ function getMiddlewareFunctionsFromOptions(
break;
}

switch (options.expectCt) {
case undefined:
case false:
break;
case true:
result.push(expectCt());
break;
default:
result.push(expectCt(options.expectCt));
break;
}

switch (options.originAgentCluster) {
case undefined:
case true:
Expand Down Expand Up @@ -438,7 +423,6 @@ const helmet: Helmet = Object.assign(
crossOriginEmbedderPolicy,
crossOriginOpenerPolicy,
crossOriginResourcePolicy,
expectCt,
originAgentCluster,
referrerPolicy,
strictTransportSecurity,
Expand Down Expand Up @@ -469,7 +453,6 @@ export {
crossOriginEmbedderPolicy,
crossOriginOpenerPolicy,
crossOriginResourcePolicy,
expectCt,
originAgentCluster,
referrerPolicy,
strictTransportSecurity,
Expand Down
33 changes: 0 additions & 33 deletions middlewares/expect-ct/CHANGELOG.md
View file

This file was deleted.

29 changes: 0 additions & 29 deletions middlewares/expect-ct/README.md
View file

This file was deleted.

48 changes: 0 additions & 48 deletions middlewares/expect-ct/index.ts
View file

This file was deleted.

11 changes: 0 additions & 11 deletions middlewares/expect-ct/package-overrides.json
View file

This file was deleted.

78 changes: 0 additions & 78 deletions test/expect-ct.test.ts
View file

This file was deleted.

19 changes: 1 addition & 18 deletions test/index.test.ts
View file
Expand Up @@ -9,7 +9,6 @@ import contentSecurityPolicy from "../middlewares/content-security-policy";
import crossOriginEmbedderPolicy from "../middlewares/cross-origin-embedder-policy";
import crossOriginOpenerPolicy from "../middlewares/cross-origin-opener-policy";
import crossOriginResourcePolicy from "../middlewares/cross-origin-resource-policy";
import expectCt from "../middlewares/expect-ct";
import referrerPolicy from "../middlewares/referrer-policy";
import originAgentCluster from "../middlewares/origin-agent-cluster";
import strictTransportSecurity from "../middlewares/strict-transport-security";
Expand All @@ -24,7 +23,7 @@ import xXssProtection from "../middlewares/x-xss-protection";
describe("helmet", () => {
const topLevel = helmet.default;

it("includes all middleware, except Expect-CT, with their default options", async () => {
it("includes all middleware with their default options", async () => {
// NOTE: This test relies on the CSP object being ordered a certain way,
// which could change (and be non-breaking). If that becomes a problem,
// we should update this test to be more robust.
Expand All @@ -34,8 +33,6 @@ describe("helmet", () => {
"cross-origin-embedder-policy": "require-corp",
"cross-origin-opener-policy": "same-origin",
"cross-origin-resource-policy": "same-origin",
// In Helmet 7, we can remove this Expect-CT assertion.
"expect-ct": null,
"origin-agent-cluster": "?1",
"referrer-policy": "no-referrer",
"strict-transport-security": "max-age=15552000; includeSubDomains",
Expand All @@ -62,22 +59,11 @@ describe("helmet", () => {
});
});

// In Helmet 7, this test should be removed.
it("allows Expect-CT to be enabled", async () => {
await check(topLevel({ expectCt: true }), {
"expect-ct": "max-age=0",
});
await check(topLevel({ expectCt: { maxAge: 123 } }), {
"expect-ct": "max-age=123",
});
});

it("works with all default middlewares disabled", async () => {
await check(
topLevel({
contentSecurityPolicy: false,
crossOriginEmbedderPolicy: false,
expectCt: false,
originAgentCluster: false,
referrerPolicy: false,
strictTransportSecurity: false,
Expand Down Expand Up @@ -296,9 +282,6 @@ describe("helmet", () => {
"crossOriginResourcePolicy"
);

expect(helmet.expectCt.name).toBe(expectCt.name);
expect(helmet.expectCt.name).toBe("expectCt");

expect(helmet.originAgentCluster.name).toBe(originAgentCluster.name);
expect(helmet.originAgentCluster.name).toBe("originAgentCluster");

Expand Down

0 comments on commit 38d7f60

Please sign in to comment.