diff options
| author | Rigel Kent <par@rigelk.eu> | 2018-12-13 09:49:45 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2018-12-13 09:49:45 +0100 |
| commit | 5e755fff9d70a7fd3c4f85bb524f1b774dd85b25 (patch) | |
| tree | 699a0724de91f4151ec7d67b700f5b7736a78e45 /server.ts | |
| parent | 9ecac97be024cf2277872986950d7eec85cbc76e (diff) | |
| download | PeerTube-5e755fff9d70a7fd3c4f85bb524f1b774dd85b25.tar.gz PeerTube-5e755fff9d70a7fd3c4f85bb524f1b774dd85b25.tar.zst PeerTube-5e755fff9d70a7fd3c4f85bb524f1b774dd85b25.zip | |
add Content Security Policy (#1252)
* add Content Security Policy
* remove reflect-metadata on production builds to get rid of unsafe-eval
* fix baseCSP usage
* add SRI to CSP
* add blob: to media-src
* remove SRI
* CSP set to reportOnly
* adding data: to connect-src CSP
* remove block-all-mixed-content
* add report-uri support
Diffstat (limited to 'server.ts')
| -rw-r--r-- | server.ts | 3 |
1 files changed, 3 insertions, 0 deletions
| @@ -53,6 +53,9 @@ if (errorMessage !== null) { | |||
| 53 | app.set('trust proxy', CONFIG.TRUST_PROXY) | 53 | app.set('trust proxy', CONFIG.TRUST_PROXY) |
| 54 | 54 | ||
| 55 | // Security middleware | 55 | // Security middleware |
| 56 | import { baseCSP } from './server/middlewares' | ||
| 57 | |||
| 58 | app.use(baseCSP) | ||
| 56 | app.use(helmet({ | 59 | app.use(helmet({ |
| 57 | frameguard: { | 60 | frameguard: { |
| 58 | action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts | 61 | action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts |