Add basic CSP support

This commit is contained in:
Literallie 2017-10-18 17:10:23 +02:00
parent a23048254d
commit ba183ce654
No known key found for this signature in database
GPG key ID: 7BE463C902ED152C
2 changed files with 35 additions and 0 deletions

25
app.js
View file

@ -108,6 +108,31 @@ if (config.hsts.enable) {
logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security') logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
} }
// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
// https://helmetjs.github.io/docs/csp/
if (config.csp.enable) {
var cdnDirectives = {
scriptSrc: ["https://cdnjs.cloudflare.com"],
styleSrc: ["https://cdnjs.cloudflare.com", "https://fonts.googleapis.com"],
fontSrc: ["https://cdnjs.cloudflare.com", "https://fonts.gstatic.com"]
}
var directives = {}
for (var propertyName in config.csp.directives) {
if(config.csp.directives.hasOwnProperty(propertyName)) {
var directive = config.csp.directives[propertyName]
if (config.usecdn && !!cdnDirectives[propertyName]) {
directive = directive.concat(cdnDirectives[propertyName])
}
directives[propertyName] = directive;
}
}
app.use(helmet.contentSecurityPolicy({
directives: directives
}))
} else {
logger.info('Content-Security-Policy is disabled. This may be a security risk.');
}
i18n.configure({ i18n.configure({
locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'], locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
cookie: 'locale', cookie: 'locale',

View file

@ -13,6 +13,16 @@ module.exports = {
includeSubdomains: true, includeSubdomains: true,
preload: true preload: true
}, },
csp: {
enable: true,
reportUri: '',
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
fontSrc: ["'self'"]
}
},
protocolusessl: false, protocolusessl: false,
usecdn: true, usecdn: true,
allowanonymous: true, allowanonymous: true,