summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md1
-rw-r--r--lib/config/default.js3
-rw-r--r--lib/config/environment.js3
-rw-r--r--lib/csp.js7
4 files changed, 12 insertions, 2 deletions
diff --git a/README.md b/README.md
index e65eec3e..7c577bbc 100644
--- a/README.md
+++ b/README.md
@@ -207,6 +207,7 @@ There are some config settings you need to change in the files below.
| `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
| `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
| `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
+| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations |
## Application settings `config.json`
diff --git a/lib/config/default.js b/lib/config/default.js
index 06e887f4..7407ec60 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -18,7 +18,8 @@ module.exports = {
directives: {
},
addDefaults: true,
- upgradeInsecureRequests: 'auto'
+ upgradeInsecureRequests: 'auto',
+ reportURI: undefined
},
protocolusessl: false,
usecdn: true,
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 403c7d75..2d0b520a 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -15,7 +15,8 @@ module.exports = {
preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
},
csp: {
- enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
+ enable: toBooleanConfig(process.env.HMD_CSP_ENABLE),
+ reportURI: process.env.HMD_CSP_REPORTURI
},
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
diff --git a/lib/csp.js b/lib/csp.js
index 509bc530..b46ae8ef 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () {
addInlineScriptExceptions(directives)
}
addUpgradeUnsafeRequestsOptionTo(directives)
+ addReportURI(directives)
return directives
}
@@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) {
}
}
+function addReportURI (directives) {
+ if (config.csp.reportURI) {
+ directives.reportUri = config.csp.reportURI
+ }
+}
+
CspStrategy.addNonceToLocals = function (req, res, next) {
res.locals.nonce = uuid.v4()
next()