From 544146d9aae47586e659810ab9c724256247917c Mon Sep 17 00:00:00 2001 From: Reto Brunner Date: Tue, 26 Oct 2021 22:20:06 +0200 Subject: [PATCH] Force CSP header for all requests Currently styles / plugins were not actually under the CSP header protection. There's no real reason to not have them for all requests, so add them as a root middleware. --- src/server.js | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/src/server.js b/src/server.js index 45548c7d..16028b07 100644 --- a/src/server.js +++ b/src/server.js @@ -50,6 +50,7 @@ module.exports = function (options = {}) { app.set("env", "production") .disable("x-powered-by") .use(allRequests) + .use(addSecurityHeaders) .get("/", indexRequest) .get("/service-worker.js", forceNoCacheRequest) .get("/js/bundle.js.map", forceNoCacheRequest) @@ -286,14 +287,7 @@ function allRequests(req, res, next) { return next(); } -function forceNoCacheRequest(req, res, next) { - // Intermittent proxies must not cache the following requests, - // browsers must fetch the latest version of these files (service worker, source maps) - res.setHeader("Cache-Control", "no-cache, no-transform"); - return next(); -} - -function indexRequest(req, res) { +function addSecurityHeaders(req, res, next) { const policies = [ "default-src 'none'", // default to nothing "base-uri 'none'", // disallow , has no fallback to default-src @@ -317,10 +311,22 @@ function indexRequest(req, res) { policies.push("img-src http: https: data:"); } - res.setHeader("Content-Type", "text/html"); res.setHeader("Content-Security-Policy", policies.join("; ")); res.setHeader("Referrer-Policy", "no-referrer"); + return next(); +} + +function forceNoCacheRequest(req, res, next) { + // Intermittent proxies must not cache the following requests, + // browsers must fetch the latest version of these files (service worker, source maps) + res.setHeader("Cache-Control", "no-cache, no-transform"); + return next(); +} + +function indexRequest(req, res) { + res.setHeader("Content-Type", "text/html"); + return fs.readFile( path.join(__dirname, "..", "client", "index.html.tpl"), "utf-8",