Added more security headers

2025-10-29 18:00:23 +00:00 · 2019-03-21 20:01:56 +01:00
parent 017ecc0b94
commit 7c57dfaf98
3 changed files with 31 additions and 1 deletions
--- a/server/apps/admin.js
+++ b/server/apps/admin.js
@@ -30,7 +30,34 @@ mongoose.connect(url);

 app.engine('handlebars', hbs.engine);
 app.set('view engine', 'handlebars');
+app.use(compression({filter: shouldCompress}))
+
+function shouldCompress (req, res) {
+  if (req.headers['x-no-compression']) {
+    // don't compress responses with this request header
+    return false;
+  }
+
+  // fallback to standard filter function
+  return compression.filter(req, res);
+}
 app.set('trust proxy', '127.0.0.1');
+
+var bodyParser = require('body-parser');
+var cookieParser = require("cookie-parser");
+var referrerPolicy = require('referrer-policy');
+var helmet = require('helmet');
+app.use(helmet({
+  frameguard: false,
+  features: {
+    fullscreen: ["'self'"],
+    vibrate: ["'none'"],
+    payment: ['none'],
+    syncXhr: ["'*'"],
+	notifications: ["'self'"]
+  }
+}));
+app.use(referrerPolicy({ policy: 'origin-when-cross-origin' }));
 app.enable('view cache');
 app.set('views', publicPath);
 app.use( bodyParser.json() );       // to support JSON-encoded bodies
--- a/server/apps/client.js
+++ b/server/apps/client.js
@@ -63,10 +63,12 @@ app.set('trust proxy', '127.0.0.1');

 var bodyParser = require('body-parser');
 var cookieParser = require("cookie-parser");
-var helmet = require('helmet')
+var referrerPolicy = require('referrer-policy');
+var helmet = require('helmet');
 app.use(helmet({
  frameguard: false
 }));
+app.use(referrerPolicy({ policy: 'origin-when-cross-origin' }));
 app.use( bodyParser.json() );       // to support JSON-encoded bodies
 app.use(bodyParser.urlencoded({     // to support URL-encoded bodies
 	extended: true