From 4b35c9fe090079c6f9e4c596dc2ad74906bc4edc Mon Sep 17 00:00:00 2001
From: Bill Ross <wnross@gwhc.net>
Date: Tue, 15 Apr 2025 14:19:01 -0600
Subject: [PATCH] Expanded config for more options

---
 csp-policy.yml     | 46 +++++++++++++++++++++++++---------------------
 index.cjs          |  8 +-------
 test/index.test.js |  6 ++++--
 3 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/csp-policy.yml b/csp-policy.yml
index e07bb5a..584e2ed 100644
--- a/csp-policy.yml
+++ b/csp-policy.yml
@@ -5,24 +5,28 @@
 #      script-src 'self' example.com;object-src 'none';
 #      upgrade-insecure-requests"
 # Note: embedded single quotes are required
-default-src: [ "'self'" ]
-base-uri: [ "'self'" ]
-font-src:
-  - "'self'"
-  - "https:"
-  - "data:"
-form-action: [ "'self'" ]
-frame-ancestors: [ "'self'" ]
-img-src:
-  - "'self'"
-  - "data:"
-object-src: [ "'none'" ]
-script-src: 
-  - "'self'" 
-  - example.com
-script-src-attr: [ "'none'" ]
-style-src:
-  - "'self'"
-  - "https:"
-  - "'unsafe-inline'"
-upgrade-insecure-requests: []
+xFrameOptions: SAMEORIGIN
+contentSecurityPolicy:
+  useDefaults: false
+  directives:
+    default-src: [ "'self'" ]
+    base-uri: [ "'self'" ]
+    font-src:
+      - "'self'"
+      - "https:"
+      - "data:"
+    form-action: [ "'self'" ]
+    frame-ancestors: [ "'self'" ]
+    img-src:
+      - "'self'"
+      - "data:"
+    object-src: [ "'none'" ]
+    script-src: 
+      - "'self'" 
+      - example.com
+    script-src-attr: [ "'none'" ]
+    style-src:
+      - "'self'"
+      - "https:"
+      - "'unsafe-inline'"
+    upgrade-insecure-requests: []
diff --git a/index.cjs b/index.cjs
index af83866..c5b37e9 100644
--- a/index.cjs
+++ b/index.cjs
@@ -7,11 +7,5 @@ module.exports = (path) => {
   const csppolicy = fs.readFileSync(path, 'utf8')
   const csp = YAML.parse(csppolicy)
 
-  return helmet({
-    contentSecurityPolicy: {
-      useDefaults: false,
-      directives: csp,
-    },
-    xFrameOptions: 'SAMEORIGIN',
-  })
+  return helmet(csp)
 }
diff --git a/test/index.test.js b/test/index.test.js
index 28b362d..9ad848d 100644
--- a/test/index.test.js
+++ b/test/index.test.js
@@ -19,8 +19,10 @@ describe('Rapid configurable Content Security Policy middleware', () => {
     fs.writeFileSync(
       customPolicyPath,
       `
-default-src: ["'self'"]
-script-src: ["'self'", "https://cdn.example.com"]
+contentSecurityPolicy:
+  directives:
+    default-src: ["'self'"]
+    script-src: ["'self'", "https://cdn.example.com"]
     `,
     )
   })