diff --git a/CHANGELOG.md b/CHANGELOG.md index ebb5c7f..30b0fbe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - **Breaking:** Where possible, increase TypeScript strictness around some strings. Only affects TypeScript users. See [#369](https://github.com/helmetjs/helmet/issues/369) - **Breaking:** `helmet.contentSecurityPolicy` no longer sets `block-all-mixed-content` directive by default +- **Breaking:** `helmet.expectCt` is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See [#310](https://github.com/helmetjs/helmet/issues/310) - `helmet.frameguard` no longer offers a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed ### Removed diff --git a/README.md b/README.md index 7b0bb6a..bae56d3 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,6 @@ Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' http Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin -Expect-CT: max-age=0 Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains @@ -373,6 +372,8 @@ Expect-CT: max-age=0 `helmet.expectCt` sets the `Expect-CT` header which helps mitigate misissued SSL certificates. See [MDN's article on Certificate Transparency](https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency) and the [`Expect-CT` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT) for more. +`Expect-CT` is no longer useful for new browsers in 2022. Therefore, `helmet.expectCt` is deprecated and will be removed in the next major version of Helmet. However, it can still be used in this version of Helmet. + `options.maxAge` is the number of seconds to expect Certificate Transparency. It defaults to `0`. `options.enforce` is a boolean. If `true`, the user agent (usually a browser) should refuse future connections that violate its Certificate Transparency policy. Defaults to `false`. diff --git a/index.ts b/index.ts index 75c80d8..d8ff8ab 100644 --- a/index.ts +++ b/index.ts @@ -147,7 +147,7 @@ function getMiddlewareFunctionsFromOptions( result.push(xDnsPrefetchControl(...xDnsPrefetchControlArgs)); } - const expectCtArgs = getArgs(options.expectCt); + const expectCtArgs = options.expectCt && getArgs(options.expectCt); if (expectCtArgs) { result.push(expectCt(...expectCtArgs)); } diff --git a/test/index.test.ts b/test/index.test.ts index b2b9910..ea285bb 100644 --- a/test/index.test.ts +++ b/test/index.test.ts @@ -24,7 +24,7 @@ import xXssProtection from "../middlewares/x-xss-protection"; describe("helmet", () => { const topLevel = helmet.default; - it("includes all middleware with their default options", async () => { + it("includes all middleware, except Expect-CT, with their default options", async () => { // NOTE: This test relies on the CSP object being ordered a certain way, // which could change (and be non-breaking). If that becomes a problem, // we should update this test to be more robust. @@ -34,7 +34,8 @@ describe("helmet", () => { "cross-origin-embedder-policy": "require-corp", "cross-origin-opener-policy": "same-origin", "cross-origin-resource-policy": "same-origin", - "expect-ct": "max-age=0", + // In Helmet 7, we can remove this Expect-CT assertion. + "expect-ct": null, "origin-agent-cluster": "?1", "referrer-policy": "no-referrer", "strict-transport-security": "max-age=15552000; includeSubDomains", @@ -61,6 +62,16 @@ describe("helmet", () => { }); }); + // In Helmet 7, this test should be removed. + it("allows Expect-CT to be enabled", async () => { + await check(topLevel({ expectCt: true }), { + "expect-ct": "max-age=0", + }); + await check(topLevel({ expectCt: { maxAge: 123 } }), { + "expect-ct": "max-age=123", + }); + }); + it("works with all default middlewares disabled", async () => { await check( topLevel({