KevinMidboe/vinlottis
1
0
Fork 0
Code Issues 8 Pull Requests 14 Packages Projects Releases Wiki Activity

Replaced helmet, cors & policy w/ local implem.

Browse Source 
The used functionality of helmet, cors & referrer-policy has been
defined in setupCors and setupHeaders.
This commit is contained in:
Kevin
2020-10-22 21:04:33 +02:00
parent bce28c5eb9
commit efbad63fcd
4 changed files with 49 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
middleware/setupCORS.js Normal file
View File

@@ -0,0 +1,6 @@
const openCORS = (req, res, next) => {
res.set("Access-Control-Allow-Origin", "*")
return next();
};
module.exports = openCORS;

37
middleware/setupHeaders.js Normal file
View File

@@ -0,0 +1,37 @@
const camelToKebabCase = str => str.replace(/[A-Z]/g, letter => `-${letter.toLowerCase()}`);
const mapFeaturePolicyToString = (features) => {
return Object.entries(features).map(([key, value]) => {
key = camelToKebabCase(key)
value = value == "*" ? value : `'${ value }'`
return `${key} ${value}`
}).join("; ")
}
const setupHeaders = (req, res, next) => {
res.set("Access-Control-Allow-Headers", "Content-Type")
// Security
res.set("X-Content-Type-Options", "nosniff");
res.set("X-XSS-Protection", "1; mode=block");
res.set("X-Frame-Options", "SAMEORIGIN");
res.set("X-DNS-Prefetch-Control", "off");
res.set("X-Download-Options", "noopen");
res.set("Strict-Transport-Security", "max-age=15552000; includeSubDomains")
// Feature policy
const features = {
fullscreen: "*",
payment: "none",
microphone: "none",
camera: "self",
speaker: "*",
syncXhr: "self"
}
const featureString = mapFeaturePolicyToString(features);
res.set("Feature-Policy", featureString)
return next();
}
module.exports = setupHeaders;

7
package.json
View File

@@ -18,16 +18,12 @@
"canvas-confetti": "^1.2.0", "canvas-confetti": "^1.2.0",
"chart.js": "^2.9.3", "chart.js": "^2.9.3",
"clean-webpack-plugin": "^3.0.0", "clean-webpack-plugin": "^3.0.0",
"compression": "^1.7.4",
"connect-mongo": "^3.2.0", "connect-mongo": "^3.2.0",
"cors": "^2.8.5",
"express": "^4.17.1", "express": "^4.17.1",
"express-session": "^1.17.0", "express-session": "^1.17.0",
"extract-text-webpack-plugin": "^3.0.2", "extract-text-webpack-plugin": "^3.0.2",
"feature-policy": "^0.4.0",
"helmet": "^3.21.2",
"moment": "^2.24.0", "moment": "^2.24.0",
"mongoose": "^5.8.7", "mongoose": "^5.10.9",
"node-fetch": "^2.6.0", "node-fetch": "^2.6.0",
"node-sass": "^4.13.0", "node-sass": "^4.13.0",
"node-schedule": "^1.3.2", "node-schedule": "^1.3.2",
@@ -35,7 +31,6 @@
"passport-local": "^1.0.0", "passport-local": "^1.0.0",
"passport-local-mongoose": "^6.0.1", "passport-local-mongoose": "^6.0.1",
"qrcode": "^1.4.4", "qrcode": "^1.4.4",
"referrer-policy": "^1.2.0",
"socket.io": "^2.3.0", "socket.io": "^2.3.0",
"socket.io-client": "^2.3.0", "socket.io-client": "^2.3.0",
"vue": "~2.6", "vue": "~2.6",

30
server.js
View File

@@ -19,32 +19,12 @@ const bodyParser = require("body-parser");
const mongoose = require("mongoose"); const mongoose = require("mongoose");
const MongoStore = require("connect-mongo")(session); const MongoStore = require("connect-mongo")(session);
const cors = require("cors");
const referrerPolicy = require("referrer-policy"); // middleware
const helmet = require("helmet"); const setupCORS = require(path.join(__dirname, "/middleware/setupCORS"));
const featurePolicy = require("feature-policy"); const setupHeaders = require(path.join(__dirname, "/middleware/setupHeaders"));
app.use(setupCORS)
const compression = require("compression"); app.use(setupHeaders)
app.use(compression());
app.use(
featurePolicy({
features: {
fullscreen: ["*"],
//vibrate: ["'none'"],
payment: ["'none'"],
microphone: ["'none'"],
camera: ["'self'"],
speaker: ["*"],
syncXhr: ["'self'"]
//notifications: ["'self'"]
}
})
);
app.use(helmet());
app.use(helmet.frameguard({ action: "sameorigin" }));
app.use(referrerPolicy({ policy: "origin" }));
app.use(cors()); app.use(cors());
mongoose.promise = global.Promise; mongoose.promise = global.Promise;