From eb1606c9c2ac7d37f0f54d11473cc37acb34c06a Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Tue, 5 Apr 2022 14:43:56 +0200 Subject: [PATCH] Set content security policy http header for all responses --- src/server/index.tsx | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/src/server/index.tsx b/src/server/index.tsx index d8eb8075..9756b3fa 100644 --- a/src/server/index.tsx +++ b/src/server/index.tsx @@ -27,6 +27,13 @@ const [hostname, port] = process.env["LEMMY_UI_HOST"] const extraThemesFolder = process.env["LEMMY_UI_EXTRA_THEMES_FOLDER"] || "./extra_themes"; +server.use(function (_req, res, next) { + res.setHeader( + "Content-Security-Policy", + "default-src 'none'; connect-src 'self'; img-src * data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'" + ); + next(); +}); server.use(express.json()); server.use(express.urlencoded({ extended: false })); server.use("/static", express.static(path.resolve("./dist"))); @@ -166,13 +173,6 @@ server.get("/*", async (req, res) => { return res.redirect(context.url); } - const cspHtml = ( - - ); - const eruda = ( <> @@ -180,12 +180,8 @@ server.get("/*", async (req, res) => { ); const erudaStr = process.env["LEMMY_UI_DEBUG"] ? renderToString(eruda) : ""; - const root = renderToString(wrapper); const symbols = renderToString(SYMBOLS); - const cspStr = process.env.LEMMY_EXTERNAL_HOST - ? renderToString(cspHtml) - : ""; const helmet = Helmet.renderStatic(); const config: ILemmyConfig = { wsHost: process.env.LEMMY_WS_HOST }; @@ -208,9 +204,6 @@ server.get("/*", async (req, res) => { - - ${cspStr} -