diff options
Diffstat (limited to 'server.ts')
-rw-r--r-- | server.ts | 19 |
1 files changed, 16 insertions, 3 deletions
@@ -59,12 +59,13 @@ app.use(helmet({ | |||
59 | }, | 59 | }, |
60 | contentSecurityPolicy: { | 60 | contentSecurityPolicy: { |
61 | directives: { | 61 | directives: { |
62 | fontSrc: ["'self'"], | 62 | defaultSrc: ['*', 'data:', 'wss:', 'https:'], |
63 | fontSrc: ["'self'", 'data:'], | ||
63 | frameSrc: ["'none'"], | 64 | frameSrc: ["'none'"], |
64 | mediaSrc: ['*', 'https:'], | 65 | mediaSrc: ['*', 'https:'], |
65 | objectSrc: ["'none'"], | 66 | objectSrc: ["'none'"], |
66 | scriptSrc: ["'self'"], | 67 | scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"], |
67 | styleSrc: ["'self'"], | 68 | styleSrc: ["'self'", "'unsafe-inline'"], |
68 | upgradeInsecureRequests: true | 69 | upgradeInsecureRequests: true |
69 | }, | 70 | }, |
70 | browserSniff: false // assumes a modern browser, but allows CDN in front | 71 | browserSniff: false // assumes a modern browser, but allows CDN in front |
@@ -73,6 +74,18 @@ app.use(helmet({ | |||
73 | policy: 'strict-origin-when-cross-origin' | 74 | policy: 'strict-origin-when-cross-origin' |
74 | } | 75 | } |
75 | })) | 76 | })) |
77 | app.use((_, res, next) => { | ||
78 | [ | ||
79 | "vibrate 'none'", | ||
80 | "geolocation 'none'", | ||
81 | "camera 'none'", | ||
82 | "microphone 'none'", | ||
83 | "magnetometer 'none'", | ||
84 | "payment 'none'", | ||
85 | "accelerometer 'none'" | ||
86 | ].forEach(e => res.append('Feature-Policy', e + ';')) | ||
87 | next() | ||
88 | }) | ||
76 | 89 | ||
77 | // ----------- Database ----------- | 90 | // ----------- Database ----------- |
78 | 91 | ||