From 4bdd9473fdecfa7e309e3c59b05b29d0a20ac397 Mon Sep 17 00:00:00 2001
From: Rigel Kent <sendmemail@rigelk.eu>
Date: Tue, 17 Jul 2018 11:37:25 +0200
Subject: adding CSP, no-referrer policies and allow dns prefetching

---
 server.ts | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'server.ts')

diff --git a/server.ts b/server.ts
index 26750802c..a688bb5d0 100644
--- a/server.ts
+++ b/server.ts
@@ -52,7 +52,25 @@ app.set('trust proxy', CONFIG.TRUST_PROXY)
 // Security middlewares
 app.use(helmet({
   frameguard: {
-    action: 'deny'
+    action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
+  },
+  dnsPrefetchControl: {
+    allow: true
+  },
+  contentSecurityPolicy: {
+    directives: {
+      fontSrc: ["'self'"],
+      frameSrc: ["'none'"],
+      mediaSrc: ['*', 'https:'],
+      objectSrc: ["'none'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'"],
+      upgradeInsecureRequests: true
+    },
+    browserSniff: false // assumes a modern browser, but allows CDN in front
+  },
+  referrerPolicy: {
+    policy: 'strict-origin-when-cross-origin'
   }
 }))
 
-- 
cgit v1.2.3