The helmet config in server.js disables crossOriginEmbedderPolicy alongside the documented contentSecurityPolicy: false. The CSP line has a multi-line rationale comment; the COEP line has none. A future contributor reading the block could either assume it was an oversight (and try to re-enable it) or copy the pattern into a different app without understanding the constraint.
Fix: add inline rationale (Swagger UI loads theme assets cross-origin; helmet's default require-corp blocks anything without explicit CORP/CORS opt-in).
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/
The helmet config in
server.jsdisablescrossOriginEmbedderPolicyalongside the documentedcontentSecurityPolicy: false. The CSP line has a multi-line rationale comment; the COEP line has none. A future contributor reading the block could either assume it was an oversight (and try to re-enable it) or copy the pattern into a different app without understanding the constraint.Fix: add inline rationale (Swagger UI loads theme assets cross-origin; helmet's default
require-corpblocks anything without explicit CORP/CORS opt-in).Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/