diff --git a/src/lib/middleware/secure-headers.ts b/src/lib/middleware/secure-headers.ts index 5eaa8926f3f3..066d39d06e9d 100644 --- a/src/lib/middleware/secure-headers.ts +++ b/src/lib/middleware/secure-headers.ts @@ -86,50 +86,10 @@ const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => { originAgentCluster: false, xDnsPrefetchControl: false, }); - const apiHelmet = helmet({ - hsts: { - maxAge: hoursToSeconds(24 * 365 * 2), // 2 non-leap years - includeSubDomains: true, - preload: true, - }, - contentSecurityPolicy: { - directives: { - defaultSrc: - helmet.contentSecurityPolicy - .dangerouslyDisableDefaultSrc, - fontSrc: null, - styleSrc: null, - scriptSrc: null, - imgSrc: null, - connectSrc: null, - mediaSrc: null, - objectSrc: null, - frameSrc: null, - upgradeInsecureRequests: null, - scriptSrcAttr: null, - baseUri: null, - formAction: null, - frameAncestors: ["'none'"], - }, - }, - - crossOriginEmbedderPolicy: false, - crossOriginResourcePolicy: false, - crossOriginOpenerPolicy: false, - originAgentCluster: false, - xXssProtection: false, - xDnsPrefetchControl: false, - xFrameOptions: { action: 'deny' }, - }); return (req, res, next) => { if (req.method === 'OPTIONS') { return next(); - } else if ( - req.path.startsWith(`${config.server.baseUriPath}/api/`) && - config.flagResolver.isEnabled('stripHeadersOnAPI') - ) { - apiHelmet(req, res, next); } else { defaultHelmet(req, res, next); } diff --git a/src/server-dev.ts b/src/server-dev.ts index be7e586391db..e0037f127f3b 100644 --- a/src/server-dev.ts +++ b/src/server-dev.ts @@ -40,7 +40,6 @@ process.nextTick(async () => { embedProxyFrontend: true, anonymiseEventLog: false, responseTimeWithAppNameKillSwitch: false, - stripHeadersOnAPI: true, celebrateUnleash: true, featureSearchFeedbackPosting: true, userAccessUIEnabled: true,