summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLiterallie2017-10-18 17:10:23 +0200
committerLiterallie2017-10-22 00:03:44 +0200
commitba183ce6543f102ae635502a0da0ac7c923cc97a (patch)
tree494790b1e27b8468c511d8fc4e39ae04413e317f
parenta23048254ddfb36a2c204c96db042fd0a6012b48 (diff)
Add basic CSP support
-rw-r--r--app.js25
-rw-r--r--lib/config/default.js10
2 files changed, 35 insertions, 0 deletions
diff --git a/app.js b/app.js
index 62e6627d..54ec6cf7 100644
--- a/app.js
+++ b/app.js
@@ -108,6 +108,31 @@ if (config.hsts.enable) {
logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
}
+// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
+// https://helmetjs.github.io/docs/csp/
+if (config.csp.enable) {
+ var cdnDirectives = {
+ scriptSrc: ["https://cdnjs.cloudflare.com"],
+ styleSrc: ["https://cdnjs.cloudflare.com", "https://fonts.googleapis.com"],
+ fontSrc: ["https://cdnjs.cloudflare.com", "https://fonts.gstatic.com"]
+ }
+ var directives = {}
+ for (var propertyName in config.csp.directives) {
+ if(config.csp.directives.hasOwnProperty(propertyName)) {
+ var directive = config.csp.directives[propertyName]
+ if (config.usecdn && !!cdnDirectives[propertyName]) {
+ directive = directive.concat(cdnDirectives[propertyName])
+ }
+ directives[propertyName] = directive;
+ }
+ }
+ app.use(helmet.contentSecurityPolicy({
+ directives: directives
+ }))
+} else {
+ logger.info('Content-Security-Policy is disabled. This may be a security risk.');
+}
+
i18n.configure({
locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
cookie: 'locale',
diff --git a/lib/config/default.js b/lib/config/default.js
index f4c45e3d..e207dfc6 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -13,6 +13,16 @@ module.exports = {
includeSubdomains: true,
preload: true
},
+ csp: {
+ enable: true,
+ reportUri: '',
+ directives: {
+ defaultSrc: ["'self'"],
+ scriptSrc: ["'self'"],
+ styleSrc: ["'self'", "'unsafe-inline'"],
+ fontSrc: ["'self'"]
+ }
+ },
protocolusessl: false,
usecdn: true,
allowanonymous: true,