Add basic CSP support

2017-10-18 17:10:23 +02:00 · 2017-10-18 17:10:23 +02:00 · ba183ce654
parent a23048254d
commit ba183ce654
2 changed files with 35 additions and 0 deletions
--- a/app.js
+++ b/app.js
@ -108,6 +108,31 @@ if (config.hsts.enable) {
  logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
 }

+// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
+// https://helmetjs.github.io/docs/csp/
+if (config.csp.enable) {
+  var cdnDirectives = {
+    scriptSrc: ["https://cdnjs.cloudflare.com"],
+    styleSrc: ["https://cdnjs.cloudflare.com", "https://fonts.googleapis.com"],
+    fontSrc: ["https://cdnjs.cloudflare.com", "https://fonts.gstatic.com"]
+  }
+  var directives = {}
+  for (var propertyName in config.csp.directives) {
+    if(config.csp.directives.hasOwnProperty(propertyName)) {
+      var directive = config.csp.directives[propertyName]
+      if (config.usecdn && !!cdnDirectives[propertyName]) {
+        directive = directive.concat(cdnDirectives[propertyName])
+      }
+      directives[propertyName] = directive;
+    }
+  }
+  app.use(helmet.contentSecurityPolicy({
+    directives: directives
+  }))
+} else {
+  logger.info('Content-Security-Policy is disabled. This may be a security risk.');
+}
+
 i18n.configure({
  locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
  cookie: 'locale',
--- a/lib/config/default.js
+++ b/lib/config/default.js
@ -13,6 +13,16 @@ module.exports = {
    includeSubdomains: true,
    preload: true
  },
+  csp: {
+    enable: true,
+    reportUri: '',
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      fontSrc: ["'self'"]
+    }
+  },
  protocolusessl: false,
  usecdn: true,
  allowanonymous: true,