Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
resave: false,
saveUninitialized: true
};
// Set compression before any routes
app.use(compression({ threshold: 512 }));
app.use(cookieParser());
app.io.session(session);
auth.setup(app, session, core);
// Security protections
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.xssFilter());
app.use(helmet.hsts({
maxAge: 31536000,
includeSubdomains: true,
force: httpsEnabled,
preload: true
}));
app.use(helmet.contentSecurityPolicy({
defaultSrc: ['\'none\''],
connectSrc: ['*'],
scriptSrc: ['\'self\'', '\'unsafe-eval\''],
styleSrc: ['\'self\'', 'fonts.googleapis.com', '\'unsafe-inline\''],
fontSrc: ['\'self\'', 'fonts.gstatic.com'],
mediaSrc: ['\'self\''],
objectSrc: ['\'self\''],
global.config = config;
// view engine setu
app.set('views', `${__dirname}/views`);
app.set('view engine', 'ejs');
app.use(morgan('dev'));
// 方便随时获取req, res 参见https://github.com/Jacky-fe/express-httpcontext
app.use(contextMiddleware);
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({
extended: false,
}));
app.use(hpp());
app.use(helmet.contentSecurityPolicy(config.csp));
app.use(helmet.xssFilter());
app.use(helmet.frameguard('deny'));
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(cookieParser());
app.use(express.static(path.join(__dirname, './static')));
// API
app.use('/api/v0/posts', require('./api/posts').default);
app.use('/api/v0/post', require('./api/post').default);
// core render
app.get('*', async (req, res, next) => {
const store = configureStore();
const routes = createRoutes(store);
const history = createMemoryHistory(req.path);
const { dispatch } = store;
try{
match({ routes, history }, async (error, redirectLocation, renderProps) => {
if (error){
next(error);
}
// The xssFilter middleware sets the X-XSS-Protection header to prevent
// reflected XSS attacks.
// @see https://helmetjs.github.io/docs/xss-filter/
app.use(helmet.xssFilter());
// Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
// We disable this for embedding
// @see https://helmetjs.github.io/docs/frameguard/
app.use(helmet.frameguard('false'));
// Sets the X-Download-Options to prevent Internet Explorer from executing
// downloads in your site’s context.
// @see https://helmetjs.github.io/docs/ienoopen/
app.use(helmet.ieNoOpen());
// Strict-Transport-Security: https://github.com/helmetjs/hsts
app.use(
helmet.hsts({
maxAge: ms(hstsMA) / 1000,
includeSubdomains: true,
preload: true,
}),
);
// Public-Key-Pins: https://github.com/helmetjs/hpkp
app.use(
helmet.hpkp({
maxAge: ms(hstsMA) / 1000,
sha256s: [
'ENbaVbZki8BGBCq0jIUE8SJqvBnWf6CL8hkf4GYsg0A=',
'E+nXO/0USWdc+uY6Q9iK9lfS99qFMgwk30N4vRV2XHI=',
],
}
// The xssFilter middleware sets the X-XSS-Protection header to prevent
// reflected XSS attacks.
// @see https://helmetjs.github.io/docs/xss-filter/
app.use(helmet.xssFilter());
// Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
// We disable this for embedding
// @see https://helmetjs.github.io/docs/frameguard/
app.use(helmet.frameguard('false'));
// Sets the X-Download-Options to prevent Internet Explorer from executing
// downloads in your site’s context.
// @see https://helmetjs.github.io/docs/ienoopen/
app.use(helmet.ieNoOpen());
// Strict-Transport-Security: https://github.com/helmetjs/hsts
app.use(
helmet.hsts({
maxAge: ms(hstsMA) / 1000,
includeSubdomains: true,
preload: true,
}),
);
// Public-Key-Pins: https://github.com/helmetjs/hpkp
app.use(
helmet.hpkp({
maxAge: ms(hstsMA) / 1000,
sha256s: [
'ENbaVbZki8BGBCq0jIUE8SJqvBnWf6CL8hkf4GYsg0A=',
'E+nXO/0USWdc+uY6Q9iK9lfS99qFMgwk30N4vRV2XHI=',
],
// Prevent HTTP Parameter pollution.
server.use(hpp());
// The xssFilter middleware sets the X-XSS-Protection header to prevent
// reflected XSS attacks.
// @see https://helmetjs.github.io/docs/xss-filter/
server.use(helmet.xssFilter());
// Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
// @see https://helmetjs.github.io/docs/frameguard/
server.use(helmet.frameguard('deny'));
// Sets the X-Download-Options to prevent Internet Explorer from executing
// downloads in your site’s context.
// @see https://helmetjs.github.io/docs/ienoopen/
server.use(helmet.ieNoOpen());
// Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
// to guess (“sniff”) the MIME type, which can have security implications. It
// does this by setting the X-Content-Type-Options header to nosniff.
// @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
server.use(helmet.noSniff());
if (enableNonce) {
// Attach a unique "nonce" to every response. This allows use to declare
// inline scripts as being safe for execution against our content security policy.
// @see https://helmetjs.github.io/docs/csp/
server.use(
(
request: express$Request,
response: express$Response,
next: express$NextFunction
module.exports.initHelmetHeaders = (app) => {
const SIX_MONTHS = 15778476000;
app.use(helmet.frameguard());
app.use(helmet.xssFilter());
app.use(helmet.noSniff());
app.use(helmet.ieNoOpen());
app.use(helmet.hsts({
maxAge: SIX_MONTHS,
includeSubDomains: true,
force: true,
}));
app.disable('x-powered-by');
};
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'"],
imgSrc: ["'none'"],
connectSrc: ["'self'", "ws:", "wss:"],
fontSrc: ["'none'"],
objectSrc: ["'none'"],
mediaSrc: ["'none'"],
frameSrc: ["'none'"]
}
})
);
app.use(helmet.xssFilter());
app.use(helmet.frameguard("deny"));
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
};
server.use(
helmet.contentSecurityPolicy({
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'"],
imgSrc: ["'self'"],
connectSrc: ["'self'", 'ws:'],
fontSrc: ["'self'"],
objectSrc: ["'none'"],
mediaSrc: ["'none'"],
frameSrc: ["'none'"],
}),
);
server.use(helmet.xssFilter());
server.use(helmet.frameguard('deny'));
server.use(helmet.ieNoOpen());
server.use(helmet.noSniff());
}
else if (process.env.NODE_ENV === 'secure') {
let morgan = require('morgan');
app.use(morgan('dev'));
}
app.use(bodyParser.urlencoded({
extended: true
}));
app.use(bodyParser.json());
app.use(xss());
app.use(methodOverride());
app.use(helmet({
frameguard: false
}));
app.use(helmet.xssFilter());
app.use(helmet.noSniff());
app.use(helmet.ieNoOpen());
app.disable('x-powered-by');
app.use(function (req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
res.removeHeader('X-Frame-Options');
next();
});
app.set('jsonp callback', true);
if (config_1.config.toggle.apidoc) {
const swaggerDocument = YAML.load(path.join(__dirname, '../../apidoc.yaml'));
app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerDocument));
}
glob.sync('./**/routes/**/*.js').forEach(function (routePath) {
require(path.resolve(routePath))(app);
});
app.use(express.static(path.join(__dirname, '../app/public')));