summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSheogorath2018-03-10 14:34:14 +0100
committerSheogorath2018-03-14 17:57:41 +0100
commitefa490a50f5849205645384ee7910764bf929794 (patch)
tree3b1ba14c65820af97ea3c6bb3bb4368a751a1343
parent21be5a55179f6541f61be9f95bbb69e3c7a6515b (diff)
Add config option for report URI in CSP
This option is needed as it's currently not possible to add an report URI by the directives array. This option also allows to get CSP reports not only on docker based setup but also on our heroku instances. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Diffstat (limited to '')
-rw-r--r--README.md1
-rw-r--r--lib/config/default.js3
-rw-r--r--lib/config/environment.js3
-rw-r--r--lib/csp.js7
4 files changed, 12 insertions, 2 deletions
diff --git a/README.md b/README.md
index e65eec3e..7c577bbc 100644
--- a/README.md
+++ b/README.md
@@ -207,6 +207,7 @@ There are some config settings you need to change in the files below.
| `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
| `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
| `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
+| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations |
## Application settings `config.json`
diff --git a/lib/config/default.js b/lib/config/default.js
index 06e887f4..7407ec60 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -18,7 +18,8 @@ module.exports = {
directives: {
},
addDefaults: true,
- upgradeInsecureRequests: 'auto'
+ upgradeInsecureRequests: 'auto',
+ reportURI: undefined
},
protocolusessl: false,
usecdn: true,
diff --git a/lib/config/environment.js b/lib/config/environment.js
index b83c67e5..34049fb2 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -15,7 +15,8 @@ module.exports = {
preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
},
csp: {
- enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
+ enable: toBooleanConfig(process.env.HMD_CSP_ENABLE),
+ reportURI: process.env.HMD_CSP_REPORTURI
},
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
diff --git a/lib/csp.js b/lib/csp.js
index 509bc530..b46ae8ef 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () {
addInlineScriptExceptions(directives)
}
addUpgradeUnsafeRequestsOptionTo(directives)
+ addReportURI(directives)
return directives
}
@@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) {
}
}
+function addReportURI (directives) {
+ if (config.csp.reportURI) {
+ directives.reportUri = config.csp.reportURI
+ }
+}
+
CspStrategy.addNonceToLocals = function (req, res, next) {
res.locals.nonce = uuid.v4()
next()