Skip to content

Commit

Permalink
helmet config
Browse files Browse the repository at this point in the history
  • Loading branch information
@fichimura
fichimura committed Mar 27, 2024
1 parent 5f61d87 commit 903fbed
Show file tree
Hide file tree
Showing 9 changed files with 81 additions and 8 deletions.
47 changes: 47 additions & 0 deletions index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ const audiovisualRoutes = require('./routes/audiovisualRoutes');
const reviewRoutes = require('./routes/reviewRoutes');
const userRoutes = require('./routes/userRoutes');
const mongoSanitize = require('express-mongo-sanitize');
const helmet = require('helmet');


mongoose.connect('mongodb://127.0.0.1:27017/meerkat-app');
Expand All @@ -38,18 +39,64 @@ app.use(methodOverride('_method'));
app.use(express.static(path.join(__dirname, 'public')));

const sessionSettings = {
name: 'session',
secret: 'secretTest!',
resave: false,
saveUninitialized: true,
cookie: {
httpOnly: true,
// secure: true,
expires: Date.now() + 1000 * 60 * 60 * 24 * 7,
maxAge: 1000 * 60 * 60 * 24 * 7
}
}
app.use(expressSession(sessionSettings));
app.use(flash());
app.use(mongoSanitize());

const scriptSrcUrls = [
"https://stackpath.bootstrapcdn.com/",
"https://kit.fontawesome.com/",
"https://cdnjs.cloudflare.com/",
"https://cdn.jsdelivr.net",
"https://res.cloudinary.com/dmv8tvtnj/"
];
const styleSrcUrls = [
"https://kit-free.fontawesome.com/",
"https://stackpath.bootstrapcdn.com/",
"https://fonts.googleapis.com/",
"https://use.fontawesome.com/",
"https://cdn.jsdelivr.net",
"https://res.cloudinary.com/dmv8tvtnj/"
];
const connectSrcUrls = ["https://res.cloudinary.com/dmv8tvtnj/"];
const fontSrcUrls = ["https://res.cloudinary.com/dmv8tvtnj/"];

app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: [],
connectSrc: ["'self'", ...connectSrcUrls],
scriptSrc: ["'unsafe-inline'", "'self'", ...scriptSrcUrls],
styleSrc: ["'self'", "'unsafe-inline'", ...styleSrcUrls],
workerSrc: ["'self'", "blob:"],
objectSrc: [],
imgSrc: [
"'self'",
"blob:",
"data:",
"https://res.cloudinary.com/dmv8tvtnj/",
"https://images.unsplash.com/",
"https://source.unsplash.com/"
],
fontSrc: ["'self'", ...fontSrcUrls],
mediaSrc: ["https://res.cloudinary.com/dmv8tvtnj/"],
childSrc: ["blob:"]
},
})
);


app.use(passport.initialize());
app.use(passport.session());
passport.use(new LocalStrategy(User.authenticate()));
Expand Down
8 changes: 8 additions & 0 deletions node_modules/.package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 14 additions & 0 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
"express": "^4.18.2",
"express-mongo-sanitize": "^2.2.0",
"express-session": "^1.18.0",
"helmet": "^7.1.0",
"joi": "^17.12.2",
"method-override": "^3.0.0",
"mongoose": "^8.2.0",
Expand Down
2 changes: 1 addition & 1 deletion views/audiovisuals/edit.ejs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@

<div class="mb-3">
<% audiovisual.images.forEach((img, index)=> { %>
<img class="img-thumbnail" src="<%=img.thumbnail%>">
<img crossorigin="anonymous" class="img-thumbnail" src="<%=img.thumbnail%>">
<div class="form-check-inline">
<input type="checkbox" id="image_<%=index%>" name="deleteImages[]" value="<%=img.filename %>">
<label for="image_<%=index%>">Delete</label>
Expand Down
3 changes: 2 additions & 1 deletion views/audiovisuals/show.ejs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,8 @@
<div class="carousel-inner">
<% audiovisual.images.forEach((img,index )=> { %>
<div class="carousel-item <%= index=== 0 ? 'active' : '' %>">
<img class="img-thumbnail d-block w-100" src="<%=img.url%>" alt="">
<img crossorigin="anonymous" class="img-thumbnail d-block w-100" src="<%=img.url%>"
alt="">
</div>
<%})%>
</div>
Expand Down
8 changes: 5 additions & 3 deletions views/errorTemplates/error.ejs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
<h4 class="alert-heading">
<%= err.message%>
</h4>
<div class="text-wrap">
<%= err.stack %>
</div>
<%if(process.env.NODE_ENV !=='production' ) { %>
<div class="text-wrap">
<%= err.stack %>
</div>
<% }%>
</div>
4 changes: 2 additions & 2 deletions views/home.ejs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Meerkat</title>
<link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css"
rel="stylesheet"
<link crossorigin="anonymous"
href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet"
integrity="sha384-QWTKZyjpPEjISv5WaRU9OFeRpok6YctnYmDr5pNlyT2bRjXh0JMhjY6hW+ALEwIH"
crossorigin="anonymous">
<link rel="stylesheet" href="/stylesheets/home.css">
Expand Down
2 changes: 1 addition & 1 deletion views/partials/home.ejs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
</div>
<%if(currentUser) {%>
<div class="ms-3 mt-5">
<img class="img-fluid" src="https://source.unsplash.com/HTVUiryU9eo">
<img crossorigin="anonymous" class="img-fluid" src="https://source.unsplash.com/HTVUiryU9eo">
</div>
<%}%>
</div>

0 comments on commit 903fbed

Please sign in to comment.