X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server.ts;h=a688bb5d082a108ecee908a4366c1d2f39b690df;hb=0f7fedc39857ebc0eb29182c1588a92b9adfb75a;hp=a6052faed37220501cf120d5ea8e53dc2e5ea6ae;hpb=f4001cf408a99049d01a356bfb20a62342de06ea;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server.ts b/server.ts
index a6052faed..a688bb5d0 100644
--- a/server.ts
+++ b/server.ts
@@ -15,6 +15,7 @@ import * as express from 'express'
 import * as morgan from 'morgan'
 import * as cors from 'cors'
 import * as cookieParser from 'cookie-parser'
+import * as helmet from 'helmet'
 
 process.title = 'peertube'
 
@@ -48,6 +49,31 @@ if (errorMessage !== null) {
 // Trust our proxy (IP forwarding...)
 app.set('trust proxy', CONFIG.TRUST_PROXY)
 
+// Security middlewares
+app.use(helmet({
+  frameguard: {
+    action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
+  },
+  dnsPrefetchControl: {
+    allow: true
+  },
+  contentSecurityPolicy: {
+    directives: {
+      fontSrc: ["'self'"],
+      frameSrc: ["'none'"],
+      mediaSrc: ['*', 'https:'],
+      objectSrc: ["'none'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'"],
+      upgradeInsecureRequests: true
+    },
+    browserSniff: false // assumes a modern browser, but allows CDN in front
+  },
+  referrerPolicy: {
+    policy: 'strict-origin-when-cross-origin'
+  }
+}))
+
 // ----------- Database -----------
 
 // Initialize database and models