feat: allow security headers to be disabled by passing false

JLucasCAmorim · Sep 14, 2021 · 3cea4b9 · 3cea4b9
1 parent f6506da
commit 3cea4b9
Showing 1 changed file with 14 additions and 17 deletions.
diff --git a/lib/nextSafe.js b/lib/nextSafe.js
@@ -3,7 +3,16 @@ const buildCSPHeaders = require('./buildCSPHeaders.js')
 const buildPermissionsPolicyHeaders = require('./buildPermissionsPolicyHeaders.js')
 
 
+function hObj(key, value, defaultValue) {
+	if (key === false) {
+		return undefined
+	}
 
+	return {
+		key,
+		value: value || defaultValue
+	}
+}
 
 
 module.exports = function nextSafe(options = {}) {
@@ -21,21 +30,9 @@ module.exports = function nextSafe(options = {}) {
 	return [
 		...buildCSPHeaders({ contentSecurityPolicy, isDev }),
 		...buildPermissionsPolicyHeaders({ permissionsPolicy, permissionsPolicyDirectiveSupport, isDev }),
-		{
-			key: 'Referrer-Policy',
-			value: referrerPolicy || 'no-referrer',
-		},
-		{
-			key: 'X-Content-Type-Options',
-			value: contentTypeOptions || 'nosniff',
-		},
-		{
-			key: 'X-Frame-Options',
-			value: frameOptions || 'DENY',
-		},
-		{
-			key: 'X-XSS-Protection',
-			value: xssProtection || '1; mode=block',
-		},
-	]
+		hObj('Referrer-Policy', referrerPolicy, 'no-referrer'),
+		hObj('X-Content-Type-Options', contentTypeOptions, 'nosniff'),
+		hObj('X-Frame-Options', frameOptions, 'DENY'),
+		hObj('X-XSS-Protection', xssProtection, '1; mode=block;'),
+	].filter((header) => Boolean(header)) // Filter out header values that have resolved to falsy
 }