Merge pull request #598 from xxyy/feature/csp

Implement basic CSP support
author: Christoph (Sheogorath) Kern 2018-01-22 20:43:46 +0100
committer: GitHub 2018-01-22 20:43:46 +0100
commit: 7de6e3211f797ed9e9e5ca3d52181f77abf030d0 (patch)
tree: 8dc88e060df51106eedda199fe7ea571d0ffd5b4 /app.js
parent: fbfe3272f58232e6a7e46a82232b4dab065e2390 (diff)
parent: 3a752fde5117e800d65e26cbe7b15d65eb5b491e (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/app.js b/app.js
index 37e772bc..2183b149 100644
--- a/app.js
+++ b/app.js
@@ -24,6 +24,7 @@ var config = require('./lib/config')
 var logger = require('./lib/logger')
 var response = require('./lib/response')
 var models = require('./lib/models')
+var csp = require('./lib/csp')
 
 // generate front-end constants by template
 var constpath = path.join(__dirname, './public/js/lib/common/constant.ejs')
@@ -108,6 +109,19 @@ if (config.hsts.enable) {
   logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
 }
 
+// Generate a random nonce per request, for CSP with inline scripts
+app.use(csp.addNonceToLocals)
+
+// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
+// https://helmetjs.github.io/docs/csp/
+if (config.csp.enable) {
+  app.use(helmet.contentSecurityPolicy({
+    directives: csp.computeDirectives()
+  }))
+} else {
+  logger.info('Content-Security-Policy is disabled. This may be a security risk.')
+}
+
 i18n.configure({
   locales: ['en', 'zh', 'zh-CN', 'zh-TW', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
   cookie: 'locale',
author	Christoph (Sheogorath) Kern	2018-01-22 20:43:46 +0100
committer	GitHub	2018-01-22 20:43:46 +0100
commit	7de6e3211f797ed9e9e5ca3d52181f77abf030d0 (patch)
tree	8dc88e060df51106eedda199fe7ea571d0ffd5b4 /app.js
parent	fbfe3272f58232e6a7e46a82232b4dab065e2390 (diff)
parent	3a752fde5117e800d65e26cbe7b15d65eb5b491e (diff)