9 files changed, 33 insertions, 9 deletions
diff --git a/README.md b/README.md
index 0bb3845b..bdad3336 100644
--- a/README.md
+++ b/README.md
@@ -151,6 +151,8 @@ There are some config settings you need to change in the files below.
 | `HMD_ALLOW_FREEURL` | `true` or `false` | set to allow new note creation by accessing a nonexistent note URL |
 | `HMD_DEFAULT_PERMISSION` | `freely`, `editable`, `limited`, `locked` or `private` | set notes default permission (only applied on signed users) |
 | `HMD_DB_URL` | `mysql://localhost:3306/database` | set the database URL |
+| `HMD_SESSION_SECRET` | no example | Secret used to sign the session cookie. If non is set, one will randomly generated on startup |
+| `HMD_SESSION_LIFE` | `1209600000` | Session life time. (milliseconds) |
 | `HMD_FACEBOOK_CLIENTID` | no example | Facebook API client id |
 | `HMD_FACEBOOK_CLIENTSECRET` | no example | Facebook API client secret |
 | `HMD_TWITTER_CONSUMERKEY` | no example | Twitter API consumer key |
diff --git a/app.json b/app.json
index b2116eb6..54ce160e 100644
--- a/app.json
+++ b/app.json
@@ -23,6 +23,10 @@
             "description": "Specify database type. See sequelize available databases. Default using postgres",
             "value": "postgres"
         },
+        "HMD_SESSION_SECRET": {
+            "description": "Secret used to secure session cookies.",
+            "required": false
+        },
         "HMD_HSTS_ENABLE": {
             "description": "whether to also use HSTS if HTTPS is enabled",
             "required": false
diff --git a/config.json.example b/config.json.example
index 8d1b6abd..2d9b7714 100644
--- a/config.json.example
+++ b/config.json.example
@@ -27,7 +27,9 @@
             "directives": {
             },
             "upgradeInsecureRequests": "auto"
-            "addDefaults": true
+            "addDefaults": true,
+            "addDisqus": true,
+            "addGoogleAnalytics": true
         },
         "db": {
             "username": "",
diff --git a/lib/config/default.js b/lib/config/default.js
index b6f1af17..68849d36 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -18,6 +18,8 @@ module.exports = {
     directives: {
     },
     addDefaults: true,
+    addDisqus: true,
+    addGoogleAnalytics: true,
     upgradeInsecureRequests: 'auto',
     reportURI: undefined
   },
diff --git a/lib/config/environment.js b/lib/config/environment.js
index cab3bc3e..3dde4786 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -26,6 +26,8 @@ module.exports = {
   allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
   defaultPermission: process.env.HMD_DEFAULT_PERMISSION,
   dbURL: process.env.HMD_DB_URL,
+  sessionSecret: process.env.HMD_SESSION_SECRET,
+  sessionLife: toIntegerConfig(process.env.HMD_SESSION_LIFE),
   imageUploadType: process.env.HMD_IMAGE_UPLOAD_TYPE,
   imgur: {
     clientID: process.env.HMD_IMGUR_CLIENTID
diff --git a/lib/csp.js b/lib/csp.js
index 8a4aa088..d0f906a3 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -5,7 +5,7 @@ var CspStrategy = {}
 
 var defaultDirectives = {
   defaultSrc: ['\'self\''],
-  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', 'https://*.disqus.com', '\'unsafe-eval\''],
+  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''],
   // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/hackmd/issues/594
   imgSrc: ['*'],
   styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views
@@ -22,11 +22,23 @@ var cdnDirectives = {
   fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']
 }
 
+var disqusDirectives = {
+  scriptSrc: ['https://*.disqus.com', 'https://*.disquscdn.com'],
+  styleSrc: ['https://*.disquscdn.com'],
+  fontSrc: ['https://*.disquscdn.com']
+}
+
+var googleAnalyticsDirectives = {
+  scriptSrc: ['https://www.google-analytics.com']
+}
+
 CspStrategy.computeDirectives = function () {
   var directives = {}
   mergeDirectives(directives, config.csp.directives)
   mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
   mergeDirectivesIf(config.useCDN, directives, cdnDirectives)
+  mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
+  mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
   if (!areAllInlineScriptsAllowed(directives)) {
     addInlineScriptExceptions(directives)
   }
diff --git a/lib/response.js b/lib/response.js
index b18fd7a3..d5c685ca 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -226,7 +226,8 @@ function showPublishNote (req, res, next) {
         lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null,
         robots: meta.robots || false, // default allow robots
         GA: meta.GA,
-        disqus: meta.disqus
+        disqus: meta.disqus,
+        cspNonce: res.locals.nonce
       }
       return renderPublish(data, res)
     }).catch(function (err) {
diff --git a/public/views/shared/disqus.ejs b/public/views/shared/disqus.ejs
index cceaa85c..840d1e38 100644
--- a/public/views/shared/disqus.ejs
+++ b/public/views/shared/disqus.ejs
@@ -1,14 +1,13 @@
 <div id="disqus_thread"></div>
-<script>
+<script nonce="<%= cspNonce %>">
 var disqus_config = function () {
     this.page.identifier = window.location.pathname.split('/').slice(-1)[0];
 };
 (function() {
     var d = document, s = d.createElement('script');
-    s.src = '//<%= disqus %>.disqus.com/embed.js';
+    s.src = 'https://<%= disqus %>.disqus.com/embed.js';
     s.setAttribute('data-timestamp', +new Date());
     (d.head || d.body).appendChild(s);
 })();
 </script>
 <noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
-                                    
-\ No newline at end of file
diff --git a/public/views/shared/ga.ejs b/public/views/shared/ga.ejs
index 66d4acd9..27abb742 100644
--- a/public/views/shared/ga.ejs
+++ b/public/views/shared/ga.ejs
@@ -1,5 +1,5 @@
 <% if(typeof GA !== 'undefined' && GA) { %>
-<script>
+<script nonce="<%= cspNonce %>">
 (function (i, s, o, g, r, a, m) {
     i['GoogleAnalyticsObject'] = r;
     i[r] = i[r] || function () {
@@ -10,9 +10,9 @@
     a.async = 1;
     a.src = g;
     m.parentNode.insertBefore(a, m)
-})(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga');
+})(window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga');
 
 ga('create', '<%= GA %>', 'auto');
 ga('send', 'pageview');
 </script>
-<% } %>
-\ No newline at end of file
+<% } %>