depau
/
HackMD
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add config option for report URI in CSP 

This option is needed as it's currently not possible to add an report
URI by the directives array. This option also allows to get CSP reports
not only on docker based setup but also on our heroku instances.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2018-03-10 14:34:14 +01:00
parent 21be5a5517
commit efa490a50f
No known key found for this signature in database
GPG Key ID: 1F05CC3635CDDFFD
4 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -207,6 +207,7 @@ There are some config settings you need to change in the files below.
| `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
| `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
| `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations |
## Application settings `config.json`

3
lib/config/default.js
View File

@ -18,7 +18,8 @@ module.exports = {
directives: {
},
addDefaults: true,
upgradeInsecureRequests: 'auto'
upgradeInsecureRequests: 'auto',
reportURI: undefined
},
protocolusessl: false,
usecdn: true,

3
lib/config/environment.js
View File

@ -15,7 +15,8 @@ module.exports = {
preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
},
csp: {
enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
enable: toBooleanConfig(process.env.HMD_CSP_ENABLE),
reportURI: process.env.HMD_CSP_REPORTURI
},
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),

7
lib/csp.js
View File

@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () {
addInlineScriptExceptions(directives)
}
addUpgradeUnsafeRequestsOptionTo(directives)
addReportURI(directives)
return directives
}
@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) {
}
}
function addReportURI (directives) {
if (config.csp.reportURI) {
directives.reportUri = config.csp.reportURI
}
}
CspStrategy.addNonceToLocals = function (req, res, next) {
res.locals.nonce = uuid.v4()
next()