# strategy: 'recently-added' # Cache recently added videos
# min_views: 10 # Having at least x views
+csp:
+ enabled: false
+ report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
+ report_uri:
+
cache:
previews:
size: 500 # Max number of previews you want to cache
"# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
services:
- # You can provide a reporting endpoint for Content Security Policy violations
- csp-logger:
# Cards configuration to format video in Twitter
twitter:
username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
# strategy: 'recently-added' # Cache recently added videos
# min_views: 10 # Having at least x views
+csp:
+ enabled: false
+ report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
+ report_uri:
+
+
###############################################################################
#
# From this point, all the following keys can be overridden by the web interface
// Security middleware
import { baseCSP } from './server/middlewares'
-app.use(baseCSP)
-app.use(helmet({
- frameguard: {
- action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
- },
- hsts: false
-}))
+if (CONFIG.CSP.ENABLED) {
+ app.use(baseCSP)
+ app.use(helmet({
+ frameguard: {
+ action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
+ },
+ hsts: false
+ }))
+}
// ----------- Database -----------
// Return an error message, or null if everything is okay
function checkConfig () {
+ // Moved configuration keys
+ if (config.has('services.csp-logger')) {
+ logger.warn('services.csp-logger configuration has been renamed to csp.report_uri. Please update your configuration file.')
+ }
+
+ // Email verification
if (!Emailer.isEnabled()) {
if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
return 'Emailer is disabled but you require signup email verification.'
'storage.redundancy', 'storage.tmp', 'storage.playlists',
'log.level',
'user.video_quota', 'user.video_quota_daily',
+ 'csp.enabled', 'csp.report_only', 'csp.report_uri',
'cache.previews.size', 'admin.email', 'contact_form.enabled',
'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',
STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies'))
}
},
+ CSP: {
+ ENABLED: config.get<boolean>('csp.enabled'),
+ REPORT_ONLY: config.get<boolean>('csp.report_only'),
+ REPORT_URI: config.get<boolean>('csp.report_uri')
+ },
ADMIN: {
get EMAIL () { return config.get<string>('admin.email') }
},
get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') }
},
SERVICES: {
- get 'CSP-LOGGER' () { return config.get<string>('services.csp-logger') },
TWITTER: {
get USERNAME () { return config.get<string>('services.twitter.username') },
get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') }
frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed
workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src
},
- CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {},
+ CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
)
const baseCSP = helmet.contentSecurityPolicy({
directives: baseDirectives,
browserSniff: false,
- reportOnly: true
+ reportOnly: CONFIG.CSP.REPORT_ONLY
})
const embedCSP = helmet.contentSecurityPolicy({
- directives: Object.assign(baseDirectives, {
- frameAncestors: ['*']
- }),
+ directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }),
browserSniff: false, // assumes a modern browser, but allows CDN in front
- reportOnly: true
+ reportOnly: CONFIG.CSP.REPORT_ONLY
})
// ---------------------------------------------------------------------------
name: "PEERTUBE_INSTANCE_NAME"
description: "PEERTUBE_INSTANCE_DESCRIPTION"
terms: "PEERTUBE_INSTANCE_TERMS"
-
-services:
- csp-logger: "PEERTUBE_SERVICES_CSPLOGGER"
projects / github / Chocobozzz / PeerTube.git / commitdiff
