// Do not use barrels because we don't want to load all modules here (we need to initialize database first)
import { logger } from './server/helpers/logger'
-import { API_VERSION, CONFIG, STATIC_PATHS, CACHE } from './server/initializers/constants'
+import { API_VERSION, CONFIG, STATIC_PATHS, CACHE, REMOTE_SCHEME } from './server/initializers/constants'
const missed = checkMissedConfig()
if (missed.length !== 0) {
// Trust our proxy (IP forwarding...)
app.set('trust proxy', CONFIG.TRUST_PROXY)
-// Security middlewares
+// Security middleware
app.use(helmet({
frameguard: {
action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
},
contentSecurityPolicy: {
directives: {
- fontSrc: ["'self'"],
+ defaultSrc: ['*', 'data:', REMOTE_SCHEME.WS + ':', REMOTE_SCHEME.HTTP + ':'],
+ fontSrc: ["'self'", 'data:'],
frameSrc: ["'none'"],
- mediaSrc: ['*', 'https:'],
+ mediaSrc: ['*', REMOTE_SCHEME.HTTP + ':'],
objectSrc: ["'none'"],
- scriptSrc: ["'self'"],
- styleSrc: ["'self'"],
- upgradeInsecureRequests: true
+ scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+ styleSrc: ["'self'", "'unsafe-inline'"],
+ upgradeInsecureRequests: false
},
browserSniff: false // assumes a modern browser, but allows CDN in front
},
policy: 'strict-origin-when-cross-origin'
}
}))
+app.use((_, res, next) => {
+ [
+ "vibrate 'none'",
+ "geolocation 'none'",
+ "camera 'none'",
+ "microphone 'none'",
+ "magnetometer 'none'",
+ "payment 'none'",
+ "accelerometer 'none'"
+ ].forEach(e => res.append('Feature-Policy', e + ';'))
+ next()
+})
// ----------- Database -----------