KevinMidboe
efbad63fcd
The used functionality of helmet, cors & referrer-policy has been defined in setupCors and setupHeaders.
37 lines
1.1 KiB
JavaScript
37 lines
1.1 KiB
JavaScript
const camelToKebabCase = str => str.replace(/[A-Z]/g, letter => `-${letter.toLowerCase()}`);
|
|
|
|
const mapFeaturePolicyToString = (features) => {
|
|
return Object.entries(features).map(([key, value]) => {
|
|
key = camelToKebabCase(key)
|
|
value = value == "*" ? value : `'${ value }'`
|
|
return `${key} ${value}`
|
|
}).join("; ")
|
|
}
|
|
|
|
const setupHeaders = (req, res, next) => {
|
|
res.set("Access-Control-Allow-Headers", "Content-Type")
|
|
|
|
// Security
|
|
res.set("X-Content-Type-Options", "nosniff");
|
|
res.set("X-XSS-Protection", "1; mode=block");
|
|
res.set("X-Frame-Options", "SAMEORIGIN");
|
|
res.set("X-DNS-Prefetch-Control", "off");
|
|
res.set("X-Download-Options", "noopen");
|
|
res.set("Strict-Transport-Security", "max-age=15552000; includeSubDomains")
|
|
|
|
// Feature policy
|
|
const features = {
|
|
fullscreen: "*",
|
|
payment: "none",
|
|
microphone: "none",
|
|
camera: "self",
|
|
speaker: "*",
|
|
syncXhr: "self"
|
|
}
|
|
const featureString = mapFeaturePolicyToString(features);
|
|
res.set("Feature-Policy", featureString)
|
|
|
|
return next();
|
|
}
|
|
|
|
module.exports = setupHeaders; |