-app.use(helmet({
- frameguard: {
- action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
- },
- dnsPrefetchControl: {
- allow: true
- },
- contentSecurityPolicy: {
- directives: {
- defaultSrc: ['*', 'data:', REMOTE_SCHEME.WS + ':', REMOTE_SCHEME.HTTP + ':'],
- fontSrc: ["'self'", 'data:'],
- frameSrc: ["'none'"],
- mediaSrc: ['*', REMOTE_SCHEME.HTTP + ':'],
- objectSrc: ["'none'"],
- scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
- styleSrc: ["'self'", "'unsafe-inline'"],
- upgradeInsecureRequests: false
+import { baseCSP } from './server/middlewares/csp'
+
+if (CONFIG.CSP.ENABLED) {
+ app.use(baseCSP)
+ app.use(helmet({
+ frameguard: {
+ action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts