aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
Diffstat (limited to 'server')
-rw-r--r--server/initializers/config.ts2
-rw-r--r--server/middlewares/csp.ts4
2 files changed, 2 insertions, 4 deletions
diff --git a/server/initializers/config.ts b/server/initializers/config.ts
index 04ba605b6..b40e525a5 100644
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@@ -125,7 +125,7 @@ const CONFIG = {
125 CSP: { 125 CSP: {
126 ENABLED: config.get<boolean>('csp.enabled'), 126 ENABLED: config.get<boolean>('csp.enabled'),
127 REPORT_ONLY: config.get<boolean>('csp.report_only'), 127 REPORT_ONLY: config.get<boolean>('csp.report_only'),
128 REPORT_URI: config.get<boolean>('csp.report_uri') 128 REPORT_URI: config.get<string>('csp.report_uri')
129 }, 129 },
130 TRACKER: { 130 TRACKER: {
131 ENABLED: config.get<boolean>('tracker.enabled'), 131 ENABLED: config.get<boolean>('tracker.enabled'),
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts
index f5de69603..0ee44bf47 100644
--- a/server/middlewares/csp.ts
+++ b/server/middlewares/csp.ts
@@ -19,18 +19,16 @@ const baseDirectives = Object.assign({},
19 workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src 19 workerSrc: [ '\'self\'', 'blob:' ] // instead of deprecated child-src
20 }, 20 },
21 CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, 21 CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
22 CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} 22 CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: [] } : {}
23) 23)
24 24
25const baseCSP = helmet.contentSecurityPolicy({ 25const baseCSP = helmet.contentSecurityPolicy({
26 directives: baseDirectives, 26 directives: baseDirectives,
27 browserSniff: false,
28 reportOnly: CONFIG.CSP.REPORT_ONLY 27 reportOnly: CONFIG.CSP.REPORT_ONLY
29}) 28})
30 29
31const embedCSP = helmet.contentSecurityPolicy({ 30const embedCSP = helmet.contentSecurityPolicy({
32 directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }), 31 directives: Object.assign({}, baseDirectives, { frameAncestors: [ '*' ] }),
33 browserSniff: false, // assumes a modern browser, but allows CDN in front
34 reportOnly: CONFIG.CSP.REPORT_ONLY 32 reportOnly: CONFIG.CSP.REPORT_ONLY
35}) 33})
36 34