Skip to content
This repository has been archived by the owner on May 22, 2024. It is now read-only.

Added Content-Security-Policy #25

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Added Content-Security-Policy #25

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7f5c84f
added possibility to specify csp
passi246 Dec 14, 2020
786d4eb
Merge pull request #1 from CircleOfNice/csp
passi246 Dec 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions src/backend/app.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,22 @@ app.use(require('./lib/express/cors'));

// General security/cache related headers + server header
app.use(function (req, res, next) {
const { CONTENT_SECURITY_POLICY } = process.env;
const headers = CONTENT_SECURITY_POLICY ? {
'Content-Security-Policy': CONTENT_SECURITY_POLICY
} : {
'Content-Security-Policy': 'frame-ancestors "none";',
'X-Frame-Options': 'DENY'
};

res.set({
'Strict-Transport-Security': 'includeSubDomains; max-age=631138519; preload',
'X-XSS-Protection': '0',
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
Pragma: 'no-cache',
Expires: 0
Expires: 0,
...headers
});
next();
});
Expand All @@ -59,7 +67,6 @@ app.use('/', require('./routes/main'));
// production error handler
// no stacktraces leaked to user
app.use(function (err, req, res, next) {

let payload = {
error: {
code: err.status,
Expand Down