Merge pull request #598 from xxyy/feature/csp

Implement basic CSP support
author: Christoph (Sheogorath) Kern 2018-01-22 20:43:46 +0100
committer: GitHub 2018-01-22 20:43:46 +0100
commit: 7de6e3211f797ed9e9e5ca3d52181f77abf030d0 (patch)
tree: 8dc88e060df51106eedda199fe7ea571d0ffd5b4 /README.md
parent: fbfe3272f58232e6a7e46a82232b4dab065e2390 (diff)
parent: 3a752fde5117e800d65e26cbe7b15d65eb5b491e (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/README.md b/README.md
index 1e7d79ab..fb1f8e3d 100644
--- a/README.md
+++ b/README.md
@@ -197,6 +197,7 @@ There are some configs you need to change in the files below
 | HMD_HSTS_INCLUDE_SUBDOMAINS | `true` | set to include subdomains in HSTS (default is `true`) |
 | HMD_HSTS_MAX_AGE | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
 | HMD_HSTS_PRELOAD | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
+| HMD_CSP_ENABLE | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
 
 ## Application settings `config.json`
 
@@ -208,7 +209,8 @@ There are some configs you need to change in the files below
 | port | `80` | web app port |
 | alloworigin | `['localhost']` | domain name whitelist |
 | usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) |
-| hsts | `{"enable": "true", "maxAgeSeconds": "31536000", "includeSubdomains": "true", "preload": "true"}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) |
+| hsts | `{"enable": true, "maxAgeSeconds": 31536000, "includeSubdomains": true, "preload": true}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) |
+| csp | `{"enable": true, "directives": {"scriptSrc": "trustworthy-scripts.example.com"}, "upgradeInsecureRequests": "auto", "addDefaults": true}` | Configures [Content Security Policy](https://helmetjs.github.io/docs/csp/). Directives are passed to Helmet - see [their documentation](https://helmetjs.github.io/docs/csp/) for more information on the format. Some defaults are added to the configured values so that the application doesn't break. To disable this behaviour, set `addDefaults` to `false`. Further, if `usecdn` is on, some CDN locations are allowed too. By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `usessl` is on. To change this behaviour, set `upgradeInsecureRequests` to either `true` or `false`. |
 | protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) |
 | urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) |
 | usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) |
author	Christoph (Sheogorath) Kern	2018-01-22 20:43:46 +0100
committer	GitHub	2018-01-22 20:43:46 +0100
commit	7de6e3211f797ed9e9e5ca3d52181f77abf030d0 (patch)
tree	8dc88e060df51106eedda199fe7ea571d0ffd5b4 /README.md
parent	fbfe3272f58232e6a7e46a82232b4dab065e2390 (diff)
parent	3a752fde5117e800d65e26cbe7b15d65eb5b491e (diff)