Merge pull request #490 from zoff-music/feature/security-headers

Feature/security headers

package.json

@@ -40,6 +40,7 @@
     "express-handlebars": "^3.0.2",
     "express-recaptcha": "^3.0.1",
     "express-session": "^1.15.6",
+    "feature-policy": "^0.2.0",
     "gulp-sourcemaps": "^2.6.5",
     "gulp-uglify-es": "^1.0.4",
     "helmet": "^3.16.0",
@@ -53,6 +54,7 @@
     "passport": "^0.4.0",
     "passport-local": "^1.0.0",
     "redis": "^2.8.0",
+    "referrer-policy": "^1.1.0",
     "request": "^2.88.0",
     "socket.io": "^2.2.0",
     "socket.io-redis": "^5.2.0",

server/apps/admin.js

@@ -23,6 +23,7 @@ var session = require('express-session');
 var MongoStore = require('connect-mongo')(session);
 var api = require(pathThumbnails + '/routing/admin/api.js');
 
+var compression = require('compression');
 var User = require(pathThumbnails + '/models/user.js');
 var url = 'mongodb://' + mongo_db_cred.host + '/' + mongo_db_cred.users;
 mongoose.connect(url);
@@ -30,7 +31,40 @@ mongoose.connect(url);
 
 app.engine('handlebars', hbs.engine);
 app.set('view engine', 'handlebars');
+app.use(compression({filter: shouldCompress}))
+
+function shouldCompress (req, res) {
+    if (req.headers['x-no-compression']) {
+        // don't compress responses with this request header
+        return false;
+    }
+
+    // fallback to standard filter function
+    return compression.filter(req, res);
+}
 app.set('trust proxy', '127.0.0.1');
+
+var bodyParser = require('body-parser');
+var cookieParser = require("cookie-parser");
+var referrerPolicy = require('referrer-policy');
+var helmet = require('helmet');
+var featurePolicy = require('feature-policy');
+app.use(featurePolicy({
+    features: {
+        fullscreen: ["*"],
+        //vibrate: ["'none'"],
+        payment: ["'none'"],
+        microphone: ["'none'"],
+        camera: ["'none'"],
+        speaker: ["*"],
+        syncXhr: ["'self'"],
+        //notifications: ["'self'"]
+    }
+}));
+app.use(helmet({
+    frameguard: false,
+}));
+app.use(referrerPolicy({ policy: 'origin-when-cross-origin' }));
 app.enable('view cache');
 app.set('views', publicPath);
 app.use( bodyParser.json() );       // to support JSON-encoded bodies

server/apps/client.js

@@ -63,10 +63,25 @@ app.set('trust proxy', '127.0.0.1');
 
 var bodyParser = require('body-parser');
 var cookieParser = require("cookie-parser");
-var helmet = require('helmet')
+var referrerPolicy = require('referrer-policy');
-app.use(helmet({
+var helmet = require('helmet');
-  frameguard: false
+var featurePolicy = require('feature-policy');
+app.use(featurePolicy({
+    features: {
+        fullscreen: ["*"],
+        //vibrate: ["'none'"],
+        payment: ["'none'"],
+        microphone: ["'none'"],
+        camera: ["'none'"],
+        speaker: ["*"],
+        syncXhr: ["'self'"],
+        //notifications: ["'self'"]
+    }
 }));
+app.use(helmet({
+    frameguard: false,
+}));
+app.use(referrerPolicy({ policy: 'origin-when-cross-origin' }));
 app.use( bodyParser.json() );       // to support JSON-encoded bodies
 app.use(bodyParser.urlencoded({     // to support URL-encoded bodies
     extended: true