diff --git a/app.js b/app.js index 17d782fe4d4..ef198584922 100644 --- a/app.js +++ b/app.js @@ -26,6 +26,9 @@ function create (env, ctx) { } }); if (secureHstsHeader) { // Add HSTS (HTTP Strict Transport Security) header + + const enableCSP = env.secureCsp ? true : false; + console.info('Enabled SECURE_HSTS_HEADER (HTTP Strict Transport Security)'); const helmet = require('helmet'); var includeSubDomainsValue = env.secureHstsHeaderIncludeSubdomains; @@ -37,14 +40,26 @@ function create (env, ctx) { , preload: preloadValue } , frameguard: false + , contentSecurityPolicy: enableCSP })); - var secureCspReportOnly = env.secureCspReportOnly; + if (enableCSP) { + var secureCspReportOnly = env.secureCspReportOnly; if (secureCspReportOnly) { console.info('Enabled SECURE_CSP (Content Security Policy header). Not enforcing. Report only.'); } else { console.info('Enabled SECURE_CSP (Content Security Policy header). Enforcing.'); } + + let frameAncestors = ["'self'"]; + + for (let i = 0; i <= 8; i++) { + let u = env.settings['frameUrl' + i]; + if (u) { + frameAncestors.push(u); + } + } + app.use(helmet.contentSecurityPolicy({ //TODO make NS work without 'unsafe-inline' directives: { defaultSrc: ["'self'"] @@ -54,10 +69,11 @@ function create (env, ctx) { , imgSrc: ["'self'", 'data:'] , objectSrc: ["'none'"] // Restricts , , and elements , reportUri: '/report-violation' - , frameAncestors: ["'none'"] // Clickjacking protection, using frame-ancestors , baseUri: ["'none'"] // Restricts use of the tag , formAction: ["'self'"] // Restricts where
contents may be submitted , connectSrc: ["'self'", "ws:", "wss:", 'https://fonts.googleapis.com/', 'https://fonts.gstatic.com/'] + , frameSrc: ["'self'"] + , frameAncestors: frameAncestors } , reportOnly: secureCspReportOnly })); @@ -71,7 +87,7 @@ function create (env, ctx) { } res.status(204).end(); }) - + } } } else { console.info('Security settings: INSECURE_USE_HTTP=', insecureUseHttp, ', SECURE_HSTS_HEADER=', secureHstsHeader);