coop-cloud-chaos-patchs/outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: additional security headers by default

Browse Source
This commit is contained in:
Tom Moor
2019-08-23 19:00:38 -07:00
parent 7e62b3b9aa
commit 53cc69a413
1 changed files with 18 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
server/app.js
View File

@ -1,6 +1,10 @@
// @flow // @flow
import compress from 'koa-compress'; import compress from 'koa-compress';
import { contentSecurityPolicy } from 'koa-helmet'; import helmet, {
contentSecurityPolicy,
dnsPrefetchControl,
referrerPolicy,
} from 'koa-helmet';
import logger from 'koa-logger'; import logger from 'koa-logger';
import mount from 'koa-mount'; import mount from 'koa-mount';
import enforceHttps from 'koa-sslify'; import enforceHttps from 'koa-sslify';
@ -17,6 +21,19 @@ import routes from './routes';
const app = new Koa(); const app = new Koa();
app.use(compress()); app.use(compress());
app.use(helmet());
app.use(
contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ['*', 'data:'],
},
})
);
app.use(dnsPrefetchControl({ allow: true }));
app.use(referrerPolicy({ policy: 'no-referrer' }));
if (process.env.NODE_ENV === 'development') { if (process.env.NODE_ENV === 'development') {
/* eslint-disable global-require */ /* eslint-disable global-require */
@ -103,15 +120,6 @@ app.use(mount('/auth', auth));
app.use(mount('/api', api)); app.use(mount('/api', api));
app.use(mount(routes)); app.use(mount(routes));
app.use(
contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
},
})
);
/** /**
* Production updates and anonymous analytics. * Production updates and anonymous analytics.
* *