fastify · mcollina · Aug 31, 2022 · Aug 29, 2022 · Aug 31, 2022 · Aug 31, 2022
diff --git a/package.json b/package.json
@@ -38,15 +38,15 @@
   "devDependencies": {
     "@fastify/pre-commit": "^2.0.2",
     "@types/node": "^18.0.0",
-    "fastify": "^4.0.0-rc.2",
+    "fastify": "^4.5.3",
     "snazzy": "^9.0.0",
     "standard": "^17.0.0",
     "tap": "^16.0.0",
     "tsd": "^0.22.0"
   },
   "dependencies": {
-    "fastify-plugin": "^4.0.0",
-    "helmet": "^5.0.1"
+    "fastify-plugin": "^4.2.1",
+    "helmet": "^6.0.0"
   },
   "tsd": {
     "directory": "test/types"

diff --git a/test/global.test.js b/test/global.test.js
@@ -153,7 +153,7 @@ test('It should be able to access default CSP directives through plugin export',
     path: '/'
   })
 
-  const expected = { 'content-security-policy': 'default-src \'self\';base-uri \'self\';block-all-mixed-content;font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests' }
+  const expected = { 'content-security-policy': 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests' }
 
   t.has(response.headers, expected)
 })
@@ -238,7 +238,7 @@ test('It should allow merging options for enableCSPNonces', async (t) => {
   t.ok(cspCache.script)
   t.ok(cspCache.style)
   t.has(response.headers, {
-    'content-security-policy': `default-src 'self';script-src 'self' 'nonce-${cspCache.script}';style-src 'self' 'nonce-${cspCache.style}';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
+    'content-security-policy': `default-src 'self';script-src 'self' 'nonce-${cspCache.script}';style-src 'self' 'nonce-${cspCache.style}';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
   })
 })
 
@@ -299,7 +299,7 @@ test('It should not stack nonce array in csp header', async (t) => {
   t.ok(cspCache.script)
   t.ok(cspCache.style)
   t.has(response.headers, {
-    'content-security-policy': `default-src 'self';script-src 'self' 'nonce-${cspCache.script}';style-src 'self' 'nonce-${cspCache.style}';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
+    'content-security-policy': `default-src 'self';script-src 'self' 'nonce-${cspCache.script}';style-src 'self' 'nonce-${cspCache.style}';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
   })
 
   response = await fastify.inject({ method: 'GET', path: '/' })
@@ -308,7 +308,7 @@ test('It should not stack nonce array in csp header', async (t) => {
   t.ok(cspCache.script)
   t.ok(cspCache.style)
   t.has(response.headers, {
-    'content-security-policy': `default-src 'self';script-src 'self' 'nonce-${cspCache.script}';style-src 'self' 'nonce-${cspCache.style}';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
+    'content-security-policy': `default-src 'self';script-src 'self' 'nonce-${cspCache.script}';style-src 'self' 'nonce-${cspCache.style}';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
   })
 })
 
@@ -337,7 +337,7 @@ test('It should access the correct options property', async (t) => {
   t.ok(cspCache.script)
   t.ok(cspCache.style)
   t.has(response.headers, {
-    'content-security-policy': `script-src 'self' 'unsafe-eval' 'unsafe-inline' 'nonce-${cspCache.script}';style-src 'self' 'unsafe-inline' 'nonce-${cspCache.style}';default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
+    'content-security-policy': `script-src 'self' 'unsafe-eval' 'unsafe-inline' 'nonce-${cspCache.script}';style-src 'self' 'unsafe-inline' 'nonce-${cspCache.style}';default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
   })
 })
 
@@ -365,7 +365,7 @@ test('It should not set script-src or style-src', async (t) => {
   t.ok(cspCache.script)
   t.ok(cspCache.style)
   t.has(response.headers, {
-    'content-security-policy': `default-src 'self';script-src 'nonce-${cspCache.script}';style-src 'nonce-${cspCache.style}';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
+    'content-security-policy': `default-src 'self';script-src 'nonce-${cspCache.script}';style-src 'nonce-${cspCache.style}';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
   })
 })
 

diff --git a/test/routes.test.js b/test/routes.test.js
@@ -106,7 +106,7 @@ test('It should add CSPNonce decorator and hooks when route `enableCSPNonces` op
   t.ok(cspCache.script)
   t.ok(cspCache.style)
   t.has(response.headers, {
-    'content-security-policy': `script-src 'self' 'unsafe-eval' 'unsafe-inline' 'nonce-${cspCache.script}';style-src 'self' 'unsafe-inline' 'nonce-${cspCache.style}';default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
+    'content-security-policy': `script-src 'self' 'unsafe-eval' 'unsafe-inline' 'nonce-${cspCache.script}';style-src 'self' 'unsafe-inline' 'nonce-${cspCache.style}';default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';upgrade-insecure-requests`
   })
 })
 

diff --git a/types/index.test-d.ts b/types/index.test-d.ts
@@ -49,18 +49,18 @@ appFour.register(fastifyHelmet, {
     reportUri: 'foo'
   },
   frameguard: {
-    action: 'foo'
+    action: 'deny'
   },
   hsts: {
     maxAge: 1,
     includeSubDomains: true,
     preload: true
   },
   permittedCrossDomainPolicies: {
-    permittedPolicies: 'foo'
+    permittedPolicies: 'master-only'
   },
   referrerPolicy: {
-    policy: 'foo'
+    policy: 'no-referrer'
   }
   // these options are false or never
   // hidePoweredBy: false
@@ -144,18 +144,18 @@ const routeHelmetOptions = {
       reportUri: 'foo'
     },
     frameguard: {
-      action: 'foo'
+      action: 'deny' as const
     },
     hsts: {
       maxAge: 1,
       includeSubDomains: true,
       preload: true
     },
     permittedCrossDomainPolicies: {
-      permittedPolicies: 'foo'
+      permittedPolicies: 'all'  as const
     },
     referrerPolicy: {
-      policy: 'foo'
+      policy: 'no-referrer' as const
     }
   }
 };