BREAKING: update CSP configuration

Disable it by default and add ability to specify a custom report uri
author: Chocobozzz <me@florianbigard.com> 2019-02-21 16:27:32 +0100
committer: Chocobozzz <me@florianbigard.com> 2019-02-21 16:28:53 +0100
commit: 539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a (patch)
tree: 9bddd2ba539a49b3741fbd2ff3a2127e41a40268 /server.ts
parent: c8000975d361fae166a6ebecac5005238e14d4c9 (diff)
download: PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.gz
PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.zst
PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.zip
1 files changed, 9 insertions, 7 deletions
diff --git a/server.ts b/server.ts
index b50151859..c450d5b6e 100644
--- a/server.ts
+++ b/server.ts
@@ -55,13 +55,15 @@ app.set('trust proxy', CONFIG.TRUST_PROXY)
 // Security middleware
 import { baseCSP } from './server/middlewares'
-app.use(baseCSP)
+if (CONFIG.CSP.ENABLED) {
-app.use(helmet({
+  app.use(baseCSP)
-  frameguard: {
+  app.use(helmet({
-    action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
+    frameguard: {
-  },
+      action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
-  hsts: false
+    },
-}))
+    hsts: false
+  }))
+}
 // ----------- Database -----------
author	Chocobozzz <me@florianbigard.com>	2019-02-21 16:27:32 +0100
committer	Chocobozzz <me@florianbigard.com>	2019-02-21 16:28:53 +0100
commit	539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a (patch)
tree	9bddd2ba539a49b3741fbd2ff3a2127e41a40268 /server.ts
parent	c8000975d361fae166a6ebecac5005238e14d4c9 (diff)
download	PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.gz PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.zst PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.zip

diff --git a/server.ts b/server.ts index b50151859..c450d5b6e 100644 --- a/server.ts +++ b/server.ts
@@ -55,13 +55,15 @@ app.set('trust proxy', CONFIG.TRUST_PROXY)
55	// Security middleware	55	// Security middleware
56	import { baseCSP } from './server/middlewares'	56	import { baseCSP } from './server/middlewares'
57		57
58	app.use(baseCSP)	58	if (CONFIG.CSP.ENABLED) {
59	app.use(helmet({	59	app.use(baseCSP)
60	frameguard: {	60	app.use(helmet({
61	action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts	61	frameguard: {
62	},	62	action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
63	hsts: false	63	},
64	}))	64	hsts: false
		65	}))
		66	}
65		67
66	// ----------- Database -----------	68	// ----------- Database -----------
67		69