mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-25 03:06:31 -05:00
Add basic CSP support
This commit is contained in:
parent
a23048254d
commit
ba183ce654
2 changed files with 35 additions and 0 deletions
25
app.js
25
app.js
|
@ -108,6 +108,31 @@ if (config.hsts.enable) {
|
||||||
logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
|
logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
|
||||||
|
// https://helmetjs.github.io/docs/csp/
|
||||||
|
if (config.csp.enable) {
|
||||||
|
var cdnDirectives = {
|
||||||
|
scriptSrc: ["https://cdnjs.cloudflare.com"],
|
||||||
|
styleSrc: ["https://cdnjs.cloudflare.com", "https://fonts.googleapis.com"],
|
||||||
|
fontSrc: ["https://cdnjs.cloudflare.com", "https://fonts.gstatic.com"]
|
||||||
|
}
|
||||||
|
var directives = {}
|
||||||
|
for (var propertyName in config.csp.directives) {
|
||||||
|
if(config.csp.directives.hasOwnProperty(propertyName)) {
|
||||||
|
var directive = config.csp.directives[propertyName]
|
||||||
|
if (config.usecdn && !!cdnDirectives[propertyName]) {
|
||||||
|
directive = directive.concat(cdnDirectives[propertyName])
|
||||||
|
}
|
||||||
|
directives[propertyName] = directive;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
app.use(helmet.contentSecurityPolicy({
|
||||||
|
directives: directives
|
||||||
|
}))
|
||||||
|
} else {
|
||||||
|
logger.info('Content-Security-Policy is disabled. This may be a security risk.');
|
||||||
|
}
|
||||||
|
|
||||||
i18n.configure({
|
i18n.configure({
|
||||||
locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
|
locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
|
||||||
cookie: 'locale',
|
cookie: 'locale',
|
||||||
|
|
|
@ -13,6 +13,16 @@ module.exports = {
|
||||||
includeSubdomains: true,
|
includeSubdomains: true,
|
||||||
preload: true
|
preload: true
|
||||||
},
|
},
|
||||||
|
csp: {
|
||||||
|
enable: true,
|
||||||
|
reportUri: '',
|
||||||
|
directives: {
|
||||||
|
defaultSrc: ["'self'"],
|
||||||
|
scriptSrc: ["'self'"],
|
||||||
|
styleSrc: ["'self'", "'unsafe-inline'"],
|
||||||
|
fontSrc: ["'self'"]
|
||||||
|
}
|
||||||
|
},
|
||||||
protocolusessl: false,
|
protocolusessl: false,
|
||||||
usecdn: true,
|
usecdn: true,
|
||||||
allowanonymous: true,
|
allowanonymous: true,
|
||||||
|
|
Loading…
Reference in a new issue