Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
}));
app.use(bodyParser.json());
app.use(compression({level: 9})); //use compression
app.use(methodOverride());
// CookieParser should be above session
app.use(cookieParser());
// connect flash for flash messages
//app.use(flash());
// Use helmet to secure Express headers
// app.use(helmet.xframe());
app.use(helmet.xssFilter());
app.use(helmet.nosniff());
app.use(helmet.ienoopen());
app.disable('x-powered-by');
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header("Access-Control-Allow-Headers", "x-openrtb-version,Content-Type,*");
res.header("X-Frame-Options", "ALLOWALL");
if (req.method === 'OPTIONS') {
console.log("INFO: Browser send OPTIONS request.");
res.statusCode = 204;
return res.end();
} else {
return next();
}
});
db: db.connection.db,
collection: config.sessionCollection
})
}));
// use passport session
app.use(passport.initialize());
app.use(passport.session());
// connect flash for flash messages
app.use(flash());
// Use helmet to secure Express headers
app.use(helmet.xframe());
app.use(helmet.xssFilter());
app.use(helmet.nosniff());
app.use(helmet.ienoopen());
app.disable('x-powered-by');
// Setting the app router and static folder
app.use(express.static(path.resolve('./public')));
// Globbing routing files
config.getGlobbedFiles('./app/routes/**/*.js').forEach(function(routePath) {
require(path.resolve(routePath))(app);
});
// Assume 'not found' in the error msgs is a 404. this is somewhat silly, but valid, you can do whatever you like, set properties, use instanceof etc.
app.use(function(err, req, res, next) {
// If the error object doesn't exists
if (!err) return next();
'connect-src': [
"'self'",
'api.bitcoinaverage.com', 'chain.so', // tickers
'btc.blockr.io', 'tbtc.blockr.io', 'ltc.blockr.io', // blockchain APIs
process.env.DB_HOST, proxyHost
],
'font-src': ['s3.amazonaws.com'],
'img-src': ["'self'", 'data:', 'www.gravatar.com'],
'style-src': ["'self'", 's3.amazonaws.com'],
'script-src': ["'self'", 'blob:', "'unsafe-eval'"], // http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0021.html, https://github.com/ractivejs/ractive/issues/285
reportOnly: false,
setAllHeaders: false,
safari5: true
}))
app.use(helmet.xssFilter())
app.use(helmet.nosniff())
app.use(helmet.xframe('sameorigin'))
var ninetyDaysInMilliseconds = 90 * 24 * 60 * 60 * 1000
app.use(helmet.hsts({
maxAge: ninetyDaysInMilliseconds,
includeSubdomains: true
}))
}
var anHour = 1000*60*60
app.use(express.bodyParser())
app.use(express.cookieParser(process.env.COOKIE_SALT))
app.use(express.cookieSession({
proxy: true,
cookie: {
maxAge: anHour,
function initHelmetHeaders(app) {
// Use helmet to secure Express headers
app.use(helmet.xframe());
app.use(helmet.xssFilter());
app.use(helmet.nosniff());
app.use(helmet.ienoopen());
app.disable('x-powered-by');
}
db: db.connection.db,
collection: config.sessionCollection
})
}));
// use passport session
app.use(passport.initialize());
app.use(passport.session());
// connect flash for flash messages
app.use(flash());
// Use helmet to secure Express headers
app.use(helmet.xframe());
app.use(helmet.xssFilter());
app.use(helmet.nosniff());
app.use(helmet.ienoopen());
app.disable('x-powered-by');
// Setting the app router and static folder
app.use(express.static(path.resolve('./public')));
// Globbing routing files
config.getGlobbedFiles('./app/routes/**/*.js').forEach(function(routePath) {
require(path.resolve(routePath))(app);
});
// Assume 'not found' in the error msgs is a 404. this is somewhat silly, but valid, you can do whatever you like, set properties, use instanceof etc.
app.use(function(err, req, res, next) {
// If the error object doesn't exists
if (!err) return next();
db: db.connection.db,
collection: config.sessionCollection
})
}));
// use passport session
app.use(passport.initialize());
app.use(passport.session());
// connect flash for flash messages
app.use(flash());
// Use helmet to secure Express headers
app.use(helmet.xframe());
app.use(helmet.xssFilter());
app.use(helmet.nosniff());
app.use(helmet.ienoopen());
app.disable('x-powered-by');
// Setting the app router and static folder
app.use(express.static(path.resolve('./public')));
app.use('/builder/public', express.static(path.resolve('./builder/public')));
app.use('/shared/public', express.static(path.resolve('./shared/public')));
// Globbing routing files
config.getGlobbedFiles('./app/routes/**/*.js').forEach(function(routePath) {
require(path.resolve(routePath))(app);
});
config.getGlobbedFiles('./builder/app/routes/**/*.js').forEach(function(routePath) {
require(path.resolve(routePath))(app);
});
module.exports.initHelmetHeaders = function (app) {
// Use helmet to secure Express headers
var SIX_MONTHS = 15778476000;
app.use(helmet.xframe());
app.use(helmet.xssFilter());
app.use(helmet.nosniff());
app.use(helmet.ienoopen());
app.use(helmet.hsts({
maxAge: SIX_MONTHS,
includeSubdomains: true,
force: true
}));
app.disable('x-powered-by');
};
module.exports.initHelmetHeaders = function (app) {
// Use helmet to secure Express headers
var SIX_MONTHS = 15778476000;
app.use(helmet.xframe());
app.use(helmet.xssFilter());
app.use(helmet.nosniff());
app.use(helmet.ienoopen());
app.use(helmet.hsts({
maxAge: SIX_MONTHS,
includeSubdomains: true,
force: true
}));
app.disable('x-powered-by');
};
}
// Request body parsing middleware should be above methodOverride
app.use(bodyParser.urlencoded({
limit: '100mb',
extended: true
}));
app.use(bodyParser.json({
limit: '100mb'
}));
app.use(methodOverride());
// Use helmet to secure Express headers
app.use(helmet.xframe('allow-from', 'http://webpivottable.com'));
app.use(helmet.xssFilter());
app.use(helmet.nosniff());
app.use(helmet.ienoopen());
app.disable('x-powered-by');
// Setting the app router and static folder
app.use(express.static(path.resolve('./public')));
// CookieParser should be above session
app.use(cookieParser());
// Express MongoDB session storage
app.use(session({
saveUninitialized: true,
resave: true,
secret: config.sessionSecret,
store: new mongoStore({
server.use(requestLogger.call(null, morpheus.getLogger('express-loader')));
server.use(robotstxt);
server.use(methodOverride());
server.use(bodyParser.json());
server.use(bodyParser.urlencoded({
extended: true
}));
server.use(multer());
server.use('/content/images', express.static(path.join(morpheus.config.appRoot, '/content/images/')));
server.use(favicon(path.join(morpheus.config.appRoot, 'content/favicon.ico')));
server.use(express.static(path.join(morpheus.config.appRoot, '/content/themes/', morpheus.config.theme)));
// Use helmet to secure Express headers
server.use(helmet.xframe());
server.use(helmet.xssFilter());
server.use(helmet.nosniff());
server.use(helmet.ienoopen());
// powered by Morpheus
server.use(helmet.hidePoweredBy());
server.use(sslRedirection);
server.use(fluxibleContext.call(null, appContext));
fetchrPlugin.registerService(morpheus.services.content);
server.use(fetchrPlugin.getXhrPath(), fetchrPlugin.getMiddleware());
server.use(sanitize);
server.use(slashes());