Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
import { routes } from '../src/routes';
import { loginSuccess } from '../src/actions/auth';
import { getPostsForPage } from '../src/actions/posts';
import { createError } from '../src/actions/error';
// Create the express app and database
const app = express();
const backend = DB();
// Add some boilerplate middlware
app.use(logger(__PRODUCTION__ ? 'combined' : 'dev'));
app.use(helmet.xssFilter({ setOnOldIE: true }));
app.use(responseTime());
app.use(helmet.frameguard());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.hidePoweredBy({ setTo: 'react' }));
app.use(compression());
app.use(cookieParser());
app.use(bodyParser.json());
app.use(hpp());
app.use(cors({ origin: config.get('ORIGINS') }));
// other Route handlers
app.use('/api', backend);
app.use('/static', express.static(resolve(__dirname, '..', 'static')));
app.use(favicon(resolve(__dirname, '..', 'static', 'assets', 'meta', 'favicon.ico')));
app.use('*', (req, res) => {
// Use React Router to match the incoming URL to a path
match({ routes: routes, location: req.originalUrl }, async (err, redirectLocation, props) => {
// Only redirect if necessary and if the user isn't on the login page (to prevent a loop)
if (redirectLocation && req.originalUrl !== '/login') {
server.use(helmet.xssFilter())
// Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
// @see https://helmetjs.github.io/docs/frameguard/
server.use(helmet.frameguard("deny"))
// Sets the X-Download-Options to prevent Internet Explorer from executing
// downloads in your site’s context.
// @see https://helmetjs.github.io/docs/ienoopen/
server.use(helmet.ieNoOpen())
// Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
// to guess (“sniff”) the MIME type, which can have security implications. It
// does this by setting the X-Content-Type-Options header to nosniff.
// @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
server.use(helmet.noSniff())
if (customMiddleware)
customMiddleware.forEach(
(middleware) => {
if (middleware instanceof Array)
server.use(...middleware)
else
server.use(middleware)
}
)
// Parse cookies via standard express tooling
server.use(cookieParser())
// Detect client locale and match it with configuration
server.use(createLocaleMiddleware({
}
// configure app
const app = express()
app.set('port', port)
app.set('logger', logger)
app.set('healthCheck', healthCheck)
app.set('periodSeconds ', periodSeconds)
app.set('io', api.io)
app.set('trust proxy', 1)
app.set('etag', false)
app.set('x-powered-by', false)
app.use(helmet.dnsPrefetchControl())
app.use(helmet.permittedCrossDomainPolicies())
app.use(helmet.noSniff())
app.use(helmet.hsts())
app.use('/auth', auth.router)
app.use('/api', api.router)
app.use('/webhook', githubWebhook.router)
app.get('/config.json', api.frontendConfig)
app.use(helmet.xssFilter())
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ['\'self\''],
connectSrc,
styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://fonts.googleapis.com', 'https://cdn.materialdesignicons.com'],
fontSrc: ['\'self\'', 'https://fonts.gstatic.com', 'https://cdn.materialdesignicons.com'],
imgSrc,
scriptSrc: ['\'self\'', '\'unsafe-eval\''],
frameAncestors: ['\'none\'']
server.use(helmet.xssFilter())
// Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
// @see https://helmetjs.github.io/docs/frameguard/
server.use(helmet.frameguard("deny"))
// Sets the X-Download-Options to prevent Internet Explorer from executing
// downloads in your site’s context.
// @see https://helmetjs.github.io/docs/ienoopen/
server.use(helmet.ieNoOpen())
// Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
// to guess (“sniff”) the MIME type, which can have security implications. It
// does this by setting the X-Content-Type-Options header to nosniff.
// @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
server.use(helmet.noSniff())
if (customMiddleware)
customMiddleware.forEach(
(middleware) => {
if (middleware instanceof Array)
server.use(...middleware)
else
server.use(middleware)
}
)
// Parse cookies via standard express tooling
server.use(cookieParser())
// Detect client locale and match it with configuration
server.use(createLocaleMiddleware({
server.use(helmet.xssFilter());
// Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
// @see https://helmetjs.github.io/docs/frameguard/
server.use(helmet.frameguard('deny'));
// Sets the X-Download-Options to prevent Internet Explorer from executing
// downloads in your site’s context.
// @see https://helmetjs.github.io/docs/ienoopen/
server.use(helmet.ieNoOpen());
// Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
// to guess (“sniff”) the MIME type, which can have security implications. It
// does this by setting the X-Content-Type-Options header to nosniff.
// @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
server.use(helmet.noSniff());
server.use(compression());
server.enable('view cache');
server.enable('strict routing');
setRoutes(config, getAssets);
server.use('/', routingApp);
// Don't expose any software information to potential hackers.
server.disable('X-Powered-By');
return server;
};
private initializeSecurity() {
this.app.use(helmet.noCache());
this.app.use(helmet.frameguard());
this.app.use(helmet.hidePoweredBy());
this.app.use(helmet.hsts());
this.app.use(helmet.ieNoOpen());
this.app.use(helmet.noSniff());
this.app.use(helmet.xssFilter());
}
private initSecurityHeaders() {
this.app.disable('x-powered-by');
this.app.use(
helmet({
frameguard: {action: 'deny'},
}),
);
this.app.use(helmet.noSniff());
this.app.use(helmet.xssFilter());
this.app.use(
helmet.hsts({
includeSubDomains: true,
maxAge: 31536000,
preload: true,
}),
);
this.app.use(
helmet.contentSecurityPolicy({
browserSniff: true,
directives: this.config.SERVER.CSP,
disableAndroid: false,
loose: !this.config.SERVER.DEVELOPMENT,
reportOnly: false,
setAllHeaders: false,
app.use(session({
resave: true,
saveUninitialized: true,
secret: secrets.sessionSecret,
store: new MongoStore({
url: secrets.db,
'autoReconnect': true
})
}));
app.use(passport.initialize());
app.use(passport.session());
app.use(flash());
app.disable('x-powered-by');
app.use(helmet.xssFilter());
app.use(helmet.noSniff());
app.use(helmet.xframe());
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
next();
});
var trusted = [
"'self'",
'*.freecodecamp.com',
'*.gstatic.com',
'*.google-analytics.com',
'*.googleapis.com',
'*.google.com',
'*.gstatic.com',
'*.doubleclick.net',
router.use(requestid());
router.use(this.loggerMiddleware());
let securityConfig = this.config.security || {};
router.use(helmet.csp({
directives: merge({ reportUri: '/_report-csp-violations' }, securityConfig && securityConfig.csp),
reportOnly: this.environment === 'development',
disableAndroid: true
}));
if (this.environment === 'development') {
router.post('/_report-csp-violations', (req, res) => { res.sendStatus(200); });
}
router.use(helmet.xssFilter());
router.use(helmet.frameguard());
router.use(helmet.hidePoweredBy());
router.use(helmet.ieNoOpen());
router.use(helmet.noSniff());
router.use(compression());
router.use(cors(securityConfig.cors));
router.use(cookies());
router.use(blackburn({
adapters: this.container.lookupType('adapters'),
serializers: this.container.lookupType('serializers')
}));
if (securityConfig.requireSSL) {
router.use((req, res, next) => {
res.locals = res.locals || {};
res.locals.forceSSLOptions = { enable301Redirects: securityConfig.redirectToSSL };
forceSSL(req, res, next);
});
}
app.use(require('method-override')());
app.use(cookieParser());
app.use(session(
{
secret: 'fav-organizer',
resave: true,
saveUninitialized: true
}
));
app.use(passport.initialize());
app.use(passport.session());
app.use(helmet.xframe());
app.use(helmet.xssFilter());
app.use(helmet.noSniff());
app.disable('x-powered-by');
load('models', {cwd: 'app'})
.then('controllers')
.then('routes')
.into(app);
app.get('*', function(req, res) {
res.status(404).render('404');
});
return app;
};