diff --git a/server/routes/index.js b/server/routes/index.js index b9001957..d08194c4 100644 --- a/server/routes/index.js +++ b/server/routes/index.js @@ -7,6 +7,7 @@ const storage = require('../storage'); const config = require('../config'); const pages = require('./pages'); // const lang = require('fluent-langneg') +const IS_DEV = config.env === 'development'; module.exports = function(app) { app.use( @@ -18,29 +19,31 @@ module.exports = function(app) { app.use( helmet.hsts({ maxAge: 31536000, - force: config.env === 'production' - }) - ); - app.use( - helmet.contentSecurityPolicy({ - directives: { - defaultSrc: ["'self'"], - connectSrc: [ - "'self'", - 'https://sentry.prod.mozaws.net', - 'https://www.google-analytics.com' - ], - imgSrc: ["'self'", 'https://www.google-analytics.com'], - scriptSrc: ["'self'"], - styleSrc: ["'self'", 'https://code.cdn.mozilla.net'], - fontSrc: ["'self'", 'https://code.cdn.mozilla.net'], - formAction: ["'none'"], - frameAncestors: ["'none'"], - objectSrc: ["'none'"], - reportUri: '/__cspreport__' - } + force: !IS_DEV }) ); + if (!IS_DEV) { + app.use( + helmet.contentSecurityPolicy({ + directives: { + defaultSrc: ["'self'"], + connectSrc: [ + "'self'", + 'https://sentry.prod.mozaws.net', + 'https://www.google-analytics.com' + ], + imgSrc: ["'self'", 'https://www.google-analytics.com'], + scriptSrc: ["'self'"], + styleSrc: ["'self'", 'https://code.cdn.mozilla.net'], + fontSrc: ["'self'", 'https://code.cdn.mozilla.net'], + formAction: ["'none'"], + frameAncestors: ["'none'"], + objectSrc: ["'none'"], + reportUri: '/__cspreport__' + } + }) + ); + } app.use( busboy({ limits: {