1

I've http server and i don't know why it doesn't run;

index.js file:

const express = require("express");
const app = (global.app = express());
const helmet = require("helmet");
const server = require("http").createServer(app);
const io = (global.io = require("socket.io")(server));
const config = require("./config.js");

//Middleware
app.use(helmet());
app.use(express.json());
app.use(express.urlencoded({ extended: false }));

require("./socket")(io);
require("./router")(app);

server.listen(config.PORT, () => console.log(`Listen on port ${config.PORT}...`));

router file:

const express = require("express");
const path = require("path");

module.exports = (app) => {
  app.use(express.static(path.join(__dirname, "/../public/main")));
  app.use("/board/:id", express.static(path.join(__dirname, "/../public/paint")));
  app.get("*", (req, res) => {
    res.status(404).sendFile(path.join(__dirname, "/../", "/public/404/404.html"));
  });
};

Chrome show errors:

GET https://10.0.1.55:5000/board/jsdbf/style.css net::ERR_SSL_PROTOCOL_ERROR
GET https://10.0.1.55:5000/socket.io/socket.io.js net::ERR_SSL_PROTOCOL_ERROR

for all js, css and imgs. index.html is loaded corectly.

Improve this question
5
  • 1
    You are trying to access the server with HTTPS but you have no HTTPS configured on the server. Use http://... instead of https://... to access the server. Commented Oct 26, 2020 at 9:59
  • Yesterday same code worked fine :/ Logs from Firefox: http: Content Security Policy: Failed to process unknown directive "script-src-attr" Content Security Policy: The page settings blocked the loading of an "inline" resource ("script-src"). fingerprint-protection.js: 286: 17 Failed to load for "script" with source "10.0.1.55:5000/socket.io/socket.io.js". 10.0.1.55:5000:31:1 Failed to load for "script" with source "10.0.1.55:5000/script.js". 10.0.1.55:5000:32:1 Commented Oct 26, 2020 at 10:44
  • Content Security Policy: The page settings blocked the loading of an "inline" resource ("script-src"). fingerprint-protection.js: 286: 17 Commented Oct 26, 2020 at 10:44
  • The errors from your last two comment have nothing to do with SSL and thus have nothing to do with your original question. Commented Oct 26, 2020 at 14:23
  • 2
    I think that app.use(helmet()); forces the call in HTTPS Commented Mar 18, 2021 at 15:00

2 Answers 2

Reset to default
2

I am not a 100% expert in Content Security Policy but I noticed something.

As Benjamin Lemoine pointed out, the net::ERR_SSL_PROTOCOL_ERROR problem appears when using helmet (app.use(helmet())). I do not think that the solution is to not use helmet at all because it provides security for the application.

After performing a brute force of all helmet middlewares (contentSecurityPolicy, dnsPrefetchControl, expectCt, frameguard, etc), I found out that contentSecurityPolicy was creating the error. The WDN docs say that the upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS).

So to solve the problem and use helmet at the same time I changed this:

app.use( helmet() );

to this:

app.use( helmet() );
app.use(helmet.contentSecurityPolicy({
  directives: {
    ...defaultDirectives,
  },
}));

This way I am still using helmet but the CSP directives are not forcing HTPP to HTTPS. Please keep in mind that the upgrade-insecure-requests directive should be set on production environments.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

app.use(helmet({ contentSecurityPolicy: false })); worked for me using [email protected].
1

Helmet is a package that adds content-security-policies and response headers to your API replies. The content-security-policy header was set to a default value, which contained a CSP header of "upgrade-insecure-requests." The queries for the style files were redirected from http to https as a result of this net::ERR_SSL_PROTOCOL_ERROR.

When applying helmet to your application, you may overcome the problem by adding the following logic.

const cspDefaults = helmet.contentSecurityPolicy.getDefaultDirectives();
delete cspDefaults['upgrade-insecure-requests'];

app.use(helmet({
    contentSecurityPolicy: { directives: cspDefaults }
}));
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.