explorigin/portfolio
1
0
Fork 0
Code Releases Activity

Standardize on security headers to keep better track of what we need.

Browse Source 
Also move the server to it's own directory for better organization.
This commit is contained in:
Timothy Farrell 2018-07-21 21:44:03 -05:00
parent cc3f66daba
commit ee79695d04
3 changed files with 48 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
packages/gallery/server/headers.js Normal file
View File

@ -0,0 +1,36 @@
const STANDARD_HEADERS = {
'Service-Worker-Allowed': '/', // Allow a service worker to intercept requests
'Content-Security-Policy': {
'default-src': "'self'", // FF has a bug with SVGs: https://bugzilla.mozilla.org/show_bug.cgi?id=1262842
'script-src': "'self'", // TODO: Use "strict-dynamic for production"
'media-src': "'self'",
'object-src': "'self'",
'img-src': "'self' blob:",
'connect-src': '*',
'style-src': "'self' 'unsafe-inline'",
'worker-src': "'self'",
'frame-ancestors': "'none'" // No other sight may include this in a frame
},
'X-Content-Type-Options': 'nosniff', // http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
'X-Frame-Options': 'DENY', // No other sight may include this in a frame
'X-XSS-Protection': '1; mode=block',
'Referrer-Policy': 'same-origin' // Don't send a referrer except back to this server
// 'Strict-Transport-Security': 'max-age=63,13904; includeSubDomains; preload',
};
function formatHeaders(headers = STANDARD_HEADERS) {
const _headers = Object.assign({}, headers);
_headers['Content-Security-Policy'] = Object.entries(_headers['Content-Security-Policy'])
.map(e => e.join(' '))
.join('; ');
return _headers;
}
function expressSetHeaders(res, path, stat) {
res.set(formatHeaders());
}
module.exports = {
formatHeaders,
expressSetHeaders
};

11
packages/gallery/src/server.js → packages/gallery/server/index.js
View File

@ -3,6 +3,7 @@
const express = require('express'); const express = require('express');
const request = require('request'); const request = require('request');
const bodyParser = require('body-parser'); const bodyParser = require('body-parser');
const { expressSetHeaders } = require('./headers.js');
// Constants // Constants
const B2_BASE_URL = 'https://api.backblazeb2.com/b2api/v1/'; const B2_BASE_URL = 'https://api.backblazeb2.com/b2api/v1/';
@ -12,10 +13,11 @@ const app = express();
app.use(bodyParser.text()); app.use(bodyParser.text());
app.use( app.use(
express.static('.', { express.static('./dist/', {
dotfiles: 'ignore', dotfiles: 'ignore',
etag: false, etag: false,
index: ['src/index.html'] index: ['index.html'],
setHeaders: expressSetHeaders
}) })
); );
@ -52,3 +54,8 @@ app.post('/api/v1/remove_file', POSTRedirect('/b2api/v1/b2_delete_file_version')
module.exports = { module.exports = {
app: app app: app
}; };
if (require.main === module) {
// While this can work in Chrome, it is not ready for prime-time without a security certificate.
app.listen(8090, '127.0.0.1');
}

8
packages/gallery/webpack.config.js
View File

@ -2,7 +2,8 @@ const path = require('path');
const webpack = require('webpack'); const webpack = require('webpack');
const ExtractTextPlugin = require('extract-text-webpack-plugin'); const ExtractTextPlugin = require('extract-text-webpack-plugin');
const HtmlWebpackPlugin = require('html-webpack-plugin'); const HtmlWebpackPlugin = require('html-webpack-plugin');
const server = require('./src/server.js'); const server = require('./server/index.js');
const { formatHeaders } = require('./server/headers.js');
const API_PORT = 8888; const API_PORT = 8888;
const API_HOST = '127.0.0.1'; const API_HOST = '127.0.0.1';
@ -27,10 +28,7 @@ module.exports = {
contentBase: path.join(__dirname, 'dist'), contentBase: path.join(__dirname, 'dist'),
host: '0.0.0.0', host: '0.0.0.0',
https: true, https: true,
headers: { headers: formatHeaders(),
'Service-Worker-Allowed': '/',
'Access-Control-Allow-Origin': '*'
},
proxy: { proxy: {
'/api': `http://${API_HOST}:${API_PORT}` '/api': `http://${API_HOST}:${API_PORT}`
} }