No worries at all: I appreciate your help in banging on the alpha build, and I suspect this will trip up more people.
Is there a safe way I can default to making things “work by default”, I wonder?
For reference, v2.1 now has the following CSP/CORS/ “web security” settings:
-
upgradeInsecureRequests
, if true, adds the upgrade-insecure-requests CSP directive. If false, the directive is omitted. CSP linters suggest that it be included. -
cspReportOnly
, if true, uses theContent-Security-Policy-Report-Only
header rather than the standardContent-Security-Policy
. CSP violations are only reported. This should only be set to true temporarily for debugging CSP errors. -
enableWebSecurity
: this defaults to true if you use--expose
orexposeNetworkWithoutAuth=true
. If explicitly set tofalse
, it changes the default ofcspReportOnly
to true andupgradeInsecureRequests
to false. If you’re accessing your PhotoStructure library via the web interface, you want this set totrue
.
So, with that out of the way–perhaps I default upgradeInsecureRequests
to false?
After explaining this, I think enableWebSecurity
is too confusing and complicated: I’m going to delete it.
Related: did people know that there’s a trustProxy
setting? It currently defaults to false
because I’m chicken, but I think defaulting it to loopback
might be almost as safe of a default. More defaults about trustProxy
are here.