diff options
Diffstat (limited to 'app.js')
-rw-r--r-- | app.js | 33 |
1 files changed, 26 insertions, 7 deletions
@@ -24,6 +24,7 @@ var config = require('./lib/config') var logger = require('./lib/logger') var response = require('./lib/response') var models = require('./lib/models') +var csp = require('./lib/csp') // generate front-end constants by template var constpath = path.join(__dirname, './public/js/lib/common/constant.ejs') @@ -34,7 +35,7 @@ var data = { version: config.version, GOOGLE_API_KEY: config.google.clientSecret, GOOGLE_CLIENT_ID: config.google.clientID, - DROPBOX_APP_KEY: config.dropbox.clientSecret + DROPBOX_APP_KEY: config.dropbox.appKey } ejs.renderFile(constpath, data, {}, function (err, str) { @@ -97,14 +98,32 @@ var sessionStore = new SequelizeStore({ app.use(compression()) // use hsts to tell https users stick to this -app.use(helmet.hsts({ - maxAge: 31536000 * 1000, // 365 days - includeSubdomains: true, - preload: true -})) +if (config.hsts.enable) { + app.use(helmet.hsts({ + maxAge: config.hsts.maxAgeSeconds * 1000, + includeSubdomains: config.hsts.includeSubdomains, + preload: config.hsts.preload + })) +} else if (config.usessl) { + logger.info('Consider enabling HSTS for extra security:') + logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security') +} + +// Generate a random nonce per request, for CSP with inline scripts +app.use(csp.addNonceToLocals) + +// use Content-Security-Policy to limit XSS, dangerous plugins, etc. +// https://helmetjs.github.io/docs/csp/ +if (config.csp.enable) { + app.use(helmet.contentSecurityPolicy({ + directives: csp.computeDirectives() + })) +} else { + logger.info('Content-Security-Policy is disabled. This may be a security risk.') +} i18n.configure({ - locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'], + locales: ['en', 'zh', 'zh-CN', 'zh-TW', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'], cookie: 'locale', directory: path.join(__dirname, '/locales') }) |