From 53cc69a413492e08f4ac0a77b7d3da51547464d7 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Fri, 23 Aug 2019 19:00:38 -0700
Subject: [PATCH] fix: additional security headers by default

---
 server/app.js | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/server/app.js b/server/app.js
index d5fd6935..2a85ab32 100644
--- a/server/app.js
+++ b/server/app.js
@@ -1,6 +1,10 @@
 // @flow
 import compress from 'koa-compress';
-import { contentSecurityPolicy } from 'koa-helmet';
+import helmet, {
+  contentSecurityPolicy,
+  dnsPrefetchControl,
+  referrerPolicy,
+} from 'koa-helmet';
 import logger from 'koa-logger';
 import mount from 'koa-mount';
 import enforceHttps from 'koa-sslify';
@@ -17,6 +21,19 @@ import routes from './routes';
 const app = new Koa();
 
 app.use(compress());
+app.use(helmet());
+app.use(
+  contentSecurityPolicy({
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ['*', 'data:'],
+    },
+  })
+);
+app.use(dnsPrefetchControl({ allow: true }));
+app.use(referrerPolicy({ policy: 'no-referrer' }));
 
 if (process.env.NODE_ENV === 'development') {
   /* eslint-disable global-require */
@@ -103,15 +120,6 @@ app.use(mount('/auth', auth));
 app.use(mount('/api', api));
 app.use(mount(routes));
 
-app.use(
-  contentSecurityPolicy({
-    directives: {
-      defaultSrc: ["'self'"],
-      styleSrc: ["'self'", "'unsafe-inline'"],
-    },
-  })
-);
-
 /**
  * Production updates and anonymous analytics.
  *