1 files changed, 19 insertions, 1 deletions
diff --git a/server.ts b/server.ts
index 26750802c..a688bb5d0 100644
--- a/server.ts
+++ b/server.ts
@@ -52,7 +52,25 @@ app.set('trust proxy', CONFIG.TRUST_PROXY)
 // Security middlewares
 app.use(helmet({
  frameguard: {
-    action: 'deny'
+    action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
+  },
+  dnsPrefetchControl: {
+    allow: true
+  },
+  contentSecurityPolicy: {
+    directives: {
+      fontSrc: ["'self'"],
+      frameSrc: ["'none'"],
+      mediaSrc: ['*', 'https:'],
+      objectSrc: ["'none'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'"],
+      upgradeInsecureRequests: true
+    },
+    browserSniff: false // assumes a modern browser, but allows CDN in front
+  },
+  referrerPolicy: {
+    policy: 'strict-origin-when-cross-origin'
  }
 }))

diff --git a/server.ts b/server.ts index 26750802c..a688bb5d0 100644 --- a/server.ts +++ b/server.ts
@@ -52,7 +52,25 @@ app.set('trust proxy', CONFIG.TRUST_PROXY)
52	// Security middlewares	52	// Security middlewares
53	app.use(helmet({	53	app.use(helmet({
54	frameguard: {	54	frameguard: {
55	action: 'deny'	55	action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
		56	},
		57	dnsPrefetchControl: {
		58	allow: true
		59	},
		60	contentSecurityPolicy: {
		61	directives: {
		62	fontSrc: ["'self'"],
		63	frameSrc: ["'none'"],
		64	mediaSrc: ['*', 'https:'],
		65	objectSrc: ["'none'"],
		66	scriptSrc: ["'self'"],
		67	styleSrc: ["'self'"],
		68	upgradeInsecureRequests: true
		69	},
		70	browserSniff: false // assumes a modern browser, but allows CDN in front
		71	},
		72	referrerPolicy: {
		73	policy: 'strict-origin-when-cross-origin'
56	}	74	}
57	}))	75	}))
58		76