explorigin/gallery
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Standardize on security headers to keep better track of what we need.

Browse Source 
Also move the server to it's own directory for better organization.
This commit is contained in:
Timothy Farrell 2018-07-21 21:44:03 -05:00
parent 9c5e8d42e7
commit 4df1a917af
3 changed files with 48 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
packages/gallery/server/headers.js Normal file
View File

@ -0,0 +1,36 @@
const STANDARD_HEADERS = {
'Service-Worker-Allowed': '/', // Allow a service worker to intercept requests
'Content-Security-Policy': {
'default-src': "'self'", // FF has a bug with SVGs: https://bugzilla.mozilla.org/show_bug.cgi?id=1262842
'script-src': "'self'", // TODO: Use "strict-dynamic for production"
'media-src': "'self'",
'object-src': "'self'",
'img-src': "'self' blob:",
'connect-src': '*',
'style-src': "'self' 'unsafe-inline'",
'worker-src': "'self'",
'frame-ancestors': "'none'" // No other sight may include this in a frame
},
'X-Content-Type-Options': 'nosniff', // http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
'X-Frame-Options': 'DENY', // No other sight may include this in a frame
'X-XSS-Protection': '1; mode=block',
'Referrer-Policy': 'same-origin' // Don't send a referrer except back to this server
// 'Strict-Transport-Security': 'max-age=63,13904; includeSubDomains; preload',
};
function formatHeaders(headers = STANDARD_HEADERS) {
const _headers = Object.assign({}, headers);
_headers['Content-Security-Policy'] = Object.entries(_headers['Content-Security-Policy'])
.map(e => e.join(' '))
.join('; ');
return _headers;
}
function expressSetHeaders(res, path, stat) {
res.set(formatHeaders());
}
module.exports = {
formatHeaders,
expressSetHeaders
};

11
packages/gallery/src/server.js → packages/gallery/server/index.js
View File

@ -3,6 +3,7 @@
const express = require('express'); const express = require('express');
const request = require('request'); const request = require('request');
const bodyParser = require('body-parser'); const bodyParser = require('body-parser');
const { expressSetHeaders } = require('./headers.js');
// Constants // Constants
const B2_BASE_URL = 'https://api.backblazeb2.com/b2api/v1/'; const B2_BASE_URL = 'https://api.backblazeb2.com/b2api/v1/';
@ -12,10 +13,11 @@ const app = express();
app.use(bodyParser.text()); app.use(bodyParser.text());
app.use( app.use(
express.static('.', { express.static('./dist/', {
dotfiles: 'ignore', dotfiles: 'ignore',
etag: false, etag: false,
index: ['src/index.html'] index: ['index.html'],
setHeaders: expressSetHeaders
}) })
); );
@ -52,3 +54,8 @@ app.post('/api/v1/remove_file', POSTRedirect('/b2api/v1/b2_delete_file_version')
module.exports = { module.exports = {
app: app app: app
}; };
if (require.main === module) {
// While this can work in Chrome, it is not ready for prime-time without a security certificate.
app.listen(8090, '127.0.0.1');
}

8
packages/gallery/webpack.config.js
View File

@ -2,7 +2,8 @@ const path = require('path');
const webpack = require('webpack'); const webpack = require('webpack');
const ExtractTextPlugin = require('extract-text-webpack-plugin'); const ExtractTextPlugin = require('extract-text-webpack-plugin');
const HtmlWebpackPlugin = require('html-webpack-plugin'); const HtmlWebpackPlugin = require('html-webpack-plugin');
const server = require('./src/server.js'); const server = require('./server/index.js');
const { formatHeaders } = require('./server/headers.js');
const API_PORT = 8888; const API_PORT = 8888;
const API_HOST = '127.0.0.1'; const API_HOST = '127.0.0.1';
@ -27,10 +28,7 @@ module.exports = {
contentBase: path.join(__dirname, 'dist'), contentBase: path.join(__dirname, 'dist'),
host: '0.0.0.0', host: '0.0.0.0',
https: true, https: true,
headers: { headers: formatHeaders(),
'Service-Worker-Allowed': '/',
'Access-Control-Allow-Origin': '*'
},
proxy: { proxy: {
'/api': `http://${API_HOST}:${API_PORT}` '/api': `http://${API_HOST}:${API_PORT}`
} }