diff options
| -rw-r--r-- | server.ts | 19 |
1 files changed, 16 insertions, 3 deletions
| @@ -59,12 +59,13 @@ app.use(helmet({ | |||
| 59 | }, | 59 | }, |
| 60 | contentSecurityPolicy: { | 60 | contentSecurityPolicy: { |
| 61 | directives: { | 61 | directives: { |
| 62 | fontSrc: ["'self'"], | 62 | defaultSrc: ['*', 'data:', 'wss:', 'https:'], |
| 63 | fontSrc: ["'self'", 'data:'], | ||
| 63 | frameSrc: ["'none'"], | 64 | frameSrc: ["'none'"], |
| 64 | mediaSrc: ['*', 'https:'], | 65 | mediaSrc: ['*', 'https:'], |
| 65 | objectSrc: ["'none'"], | 66 | objectSrc: ["'none'"], |
| 66 | scriptSrc: ["'self'"], | 67 | scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"], |
| 67 | styleSrc: ["'self'"], | 68 | styleSrc: ["'self'", "'unsafe-inline'"], |
| 68 | upgradeInsecureRequests: true | 69 | upgradeInsecureRequests: true |
| 69 | }, | 70 | }, |
| 70 | browserSniff: false // assumes a modern browser, but allows CDN in front | 71 | browserSniff: false // assumes a modern browser, but allows CDN in front |
| @@ -73,6 +74,18 @@ app.use(helmet({ | |||
| 73 | policy: 'strict-origin-when-cross-origin' | 74 | policy: 'strict-origin-when-cross-origin' |
| 74 | } | 75 | } |
| 75 | })) | 76 | })) |
| 77 | app.use((_, res, next) => { | ||
| 78 | [ | ||
| 79 | "vibrate 'none'", | ||
| 80 | "geolocation 'none'", | ||
| 81 | "camera 'none'", | ||
| 82 | "microphone 'none'", | ||
| 83 | "magnetometer 'none'", | ||
| 84 | "payment 'none'", | ||
| 85 | "accelerometer 'none'" | ||
| 86 | ].forEach(e => res.append('Feature-Policy', e + ';')) | ||
| 87 | next() | ||
| 88 | }) | ||
| 76 | 89 | ||
| 77 | // ----------- Database ----------- | 90 | // ----------- Database ----------- |
| 78 | 91 | ||