Merge pull request #490 from zoff-music/feature/security-headers

Feature/security headers
2025-10-29 18:00:23 +00:00 · 2019-03-21 20:17:06 +01:00
parent 017ecc0b94 dc3bd12f69
commit 8123c71185
3 changed files with 233 additions and 182 deletions
--- a/package.json
+++ b/package.json
@@ -40,6 +40,7 @@
    "express-handlebars": "^3.0.2",
    "express-recaptcha": "^3.0.1",
    "express-session": "^1.15.6",
+    "feature-policy": "^0.2.0",
    "gulp-sourcemaps": "^2.6.5",
    "gulp-uglify-es": "^1.0.4",
    "helmet": "^3.16.0",
@@ -53,6 +54,7 @@
    "passport": "^0.4.0",
    "passport-local": "^1.0.0",
    "redis": "^2.8.0",
+    "referrer-policy": "^1.1.0",
    "request": "^2.88.0",
    "socket.io": "^2.2.0",
    "socket.io-redis": "^5.2.0",
--- a/server/apps/admin.js
+++ b/server/apps/admin.js
@@ -23,6 +23,7 @@ var session = require('express-session');
 var MongoStore = require('connect-mongo')(session);
 var api = require(pathThumbnails + '/routing/admin/api.js');

+var compression = require('compression');
 var User = require(pathThumbnails + '/models/user.js');
 var url = 'mongodb://' + mongo_db_cred.host + '/' + mongo_db_cred.users;
 mongoose.connect(url);
@@ -30,7 +31,40 @@ mongoose.connect(url);

 app.engine('handlebars', hbs.engine);
 app.set('view engine', 'handlebars');
+app.use(compression({filter: shouldCompress}))
+
+function shouldCompress (req, res) {
+    if (req.headers['x-no-compression']) {
+        // don't compress responses with this request header
+        return false;
+    }
+
+    // fallback to standard filter function
+    return compression.filter(req, res);
+}
 app.set('trust proxy', '127.0.0.1');
+
+var bodyParser = require('body-parser');
+var cookieParser = require("cookie-parser");
+var referrerPolicy = require('referrer-policy');
+var helmet = require('helmet');
+var featurePolicy = require('feature-policy');
+app.use(featurePolicy({
+    features: {
+        fullscreen: ["*"],
+        //vibrate: ["'none'"],
+        payment: ["'none'"],
+        microphone: ["'none'"],
+        camera: ["'none'"],
+        speaker: ["*"],
+        syncXhr: ["'self'"],
+        //notifications: ["'self'"]
+    }
+}));
+app.use(helmet({
+    frameguard: false,
+}));
+app.use(referrerPolicy({ policy: 'origin-when-cross-origin' }));
 app.enable('view cache');
 app.set('views', publicPath);
 app.use( bodyParser.json() );       // to support JSON-encoded bodies
--- a/server/apps/client.js
+++ b/server/apps/client.js
@@ -63,10 +63,25 @@ app.set('trust proxy', '127.0.0.1');

 var bodyParser = require('body-parser');
 var cookieParser = require("cookie-parser");
-var helmet = require('helmet')
-app.use(helmet({
-  frameguard: false
+var referrerPolicy = require('referrer-policy');
+var helmet = require('helmet');
+var featurePolicy = require('feature-policy');
+app.use(featurePolicy({
+    features: {
+        fullscreen: ["*"],
+        //vibrate: ["'none'"],
+        payment: ["'none'"],
+        microphone: ["'none'"],
+        camera: ["'none'"],
+        speaker: ["*"],
+        syncXhr: ["'self'"],
+        //notifications: ["'self'"]
+    }
 }));
+app.use(helmet({
+    frameguard: false,
+}));
+app.use(referrerPolicy({ policy: 'origin-when-cross-origin' }));
 app.use( bodyParser.json() );       // to support JSON-encoded bodies
 app.use(bodyParser.urlencoded({     // to support URL-encoded bodies
    extended: true