summaryrefslogtreecommitdiff
path: root/app.js
diff options
context:
space:
mode:
Diffstat (limited to 'app.js')
-rw-r--r--app.js33
1 files changed, 26 insertions, 7 deletions
diff --git a/app.js b/app.js
index 1508781c..2183b149 100644
--- a/app.js
+++ b/app.js
@@ -24,6 +24,7 @@ var config = require('./lib/config')
var logger = require('./lib/logger')
var response = require('./lib/response')
var models = require('./lib/models')
+var csp = require('./lib/csp')
// generate front-end constants by template
var constpath = path.join(__dirname, './public/js/lib/common/constant.ejs')
@@ -34,7 +35,7 @@ var data = {
version: config.version,
GOOGLE_API_KEY: config.google.clientSecret,
GOOGLE_CLIENT_ID: config.google.clientID,
- DROPBOX_APP_KEY: config.dropbox.clientSecret
+ DROPBOX_APP_KEY: config.dropbox.appKey
}
ejs.renderFile(constpath, data, {}, function (err, str) {
@@ -97,14 +98,32 @@ var sessionStore = new SequelizeStore({
app.use(compression())
// use hsts to tell https users stick to this
-app.use(helmet.hsts({
- maxAge: 31536000 * 1000, // 365 days
- includeSubdomains: true,
- preload: true
-}))
+if (config.hsts.enable) {
+ app.use(helmet.hsts({
+ maxAge: config.hsts.maxAgeSeconds * 1000,
+ includeSubdomains: config.hsts.includeSubdomains,
+ preload: config.hsts.preload
+ }))
+} else if (config.usessl) {
+ logger.info('Consider enabling HSTS for extra security:')
+ logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
+}
+
+// Generate a random nonce per request, for CSP with inline scripts
+app.use(csp.addNonceToLocals)
+
+// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
+// https://helmetjs.github.io/docs/csp/
+if (config.csp.enable) {
+ app.use(helmet.contentSecurityPolicy({
+ directives: csp.computeDirectives()
+ }))
+} else {
+ logger.info('Content-Security-Policy is disabled. This may be a security risk.')
+}
i18n.configure({
- locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
+ locales: ['en', 'zh', 'zh-CN', 'zh-TW', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
cookie: 'locale',
directory: path.join(__dirname, '/locales')
})
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-14 00:57:37 +0000