diff options
author | Literallie | 2017-10-18 17:10:23 +0200 |
---|---|---|
committer | Literallie | 2017-10-22 00:03:44 +0200 |
commit | ba183ce6543f102ae635502a0da0ac7c923cc97a (patch) | |
tree | 494790b1e27b8468c511d8fc4e39ae04413e317f | |
parent | a23048254ddfb36a2c204c96db042fd0a6012b48 (diff) |
Add basic CSP support
-rw-r--r-- | app.js | 25 | ||||
-rw-r--r-- | lib/config/default.js | 10 |
2 files changed, 35 insertions, 0 deletions
@@ -108,6 +108,31 @@ if (config.hsts.enable) { logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security') } +// use Content-Security-Policy to limit XSS, dangerous plugins, etc. +// https://helmetjs.github.io/docs/csp/ +if (config.csp.enable) { + var cdnDirectives = { + scriptSrc: ["https://cdnjs.cloudflare.com"], + styleSrc: ["https://cdnjs.cloudflare.com", "https://fonts.googleapis.com"], + fontSrc: ["https://cdnjs.cloudflare.com", "https://fonts.gstatic.com"] + } + var directives = {} + for (var propertyName in config.csp.directives) { + if(config.csp.directives.hasOwnProperty(propertyName)) { + var directive = config.csp.directives[propertyName] + if (config.usecdn && !!cdnDirectives[propertyName]) { + directive = directive.concat(cdnDirectives[propertyName]) + } + directives[propertyName] = directive; + } + } + app.use(helmet.contentSecurityPolicy({ + directives: directives + })) +} else { + logger.info('Content-Security-Policy is disabled. This may be a security risk.'); +} + i18n.configure({ locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'], cookie: 'locale', diff --git a/lib/config/default.js b/lib/config/default.js index f4c45e3d..e207dfc6 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -13,6 +13,16 @@ module.exports = { includeSubdomains: true, preload: true }, + csp: { + enable: true, + reportUri: '', + directives: { + defaultSrc: ["'self'"], + scriptSrc: ["'self'"], + styleSrc: ["'self'", "'unsafe-inline'"], + fontSrc: ["'self'"] + } + }, protocolusessl: false, usecdn: true, allowanonymous: true, |