mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-12-26 05:32:43 +00:00
Merge pull request #761 from SISheogorath/feature/reportURI
Add config option for report URI in CSP
This commit is contained in:
commit
9cbe03d8a8
4 changed files with 12 additions and 2 deletions
|
@ -207,6 +207,7 @@ There are some config settings you need to change in the files below.
|
||||||
| `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
|
| `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
|
||||||
| `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
|
| `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
|
||||||
| `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
|
| `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
|
||||||
|
| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations |
|
||||||
|
|
||||||
## Application settings `config.json`
|
## Application settings `config.json`
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,8 @@ module.exports = {
|
||||||
directives: {
|
directives: {
|
||||||
},
|
},
|
||||||
addDefaults: true,
|
addDefaults: true,
|
||||||
upgradeInsecureRequests: 'auto'
|
upgradeInsecureRequests: 'auto',
|
||||||
|
reportURI: undefined
|
||||||
},
|
},
|
||||||
protocolusessl: false,
|
protocolusessl: false,
|
||||||
usecdn: true,
|
usecdn: true,
|
||||||
|
|
|
@ -15,7 +15,8 @@ module.exports = {
|
||||||
preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
|
preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
|
||||||
},
|
},
|
||||||
csp: {
|
csp: {
|
||||||
enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
|
enable: toBooleanConfig(process.env.HMD_CSP_ENABLE),
|
||||||
|
reportURI: process.env.HMD_CSP_REPORTURI
|
||||||
},
|
},
|
||||||
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
|
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
|
||||||
alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
|
alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
|
||||||
|
|
|
@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () {
|
||||||
addInlineScriptExceptions(directives)
|
addInlineScriptExceptions(directives)
|
||||||
}
|
}
|
||||||
addUpgradeUnsafeRequestsOptionTo(directives)
|
addUpgradeUnsafeRequestsOptionTo(directives)
|
||||||
|
addReportURI(directives)
|
||||||
return directives
|
return directives
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function addReportURI (directives) {
|
||||||
|
if (config.csp.reportURI) {
|
||||||
|
directives.reportUri = config.csp.reportURI
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
CspStrategy.addNonceToLocals = function (req, res, next) {
|
CspStrategy.addNonceToLocals = function (req, res, next) {
|
||||||
res.locals.nonce = uuid.v4()
|
res.locals.nonce = uuid.v4()
|
||||||
next()
|
next()
|
||||||
|
|
Loading…
Reference in a new issue