How to use the koa-helmet.contentSecurityPolicy function in koa-helmet

To help you get started, we’ve selected a few koa-helmet examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github outline / outline / server / app.js View on Github external
// we don't need to report every time a request stops to the bug tracker
      if (error.code === 'EPIPE' || error.code === 'ECONNRESET') {
        console.warn('Connection error', { error });
      } else {
        bugsnag.koaHandler(error, ctx);
      }
    });
  }
}

app.use(mount('/auth', auth));
app.use(mount('/api', api));

app.use(helmet());
app.use(
  contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: [
        "'self'",
        "'unsafe-inline'",
        "'unsafe-eval'",
        'gist.github.com',
        'www.google-analytics.com',
        'd2wy8f7a9ursnm.cloudfront.net',
      ],
      styleSrc: ["'self'", "'unsafe-inline'", 'github.githubassets.com'],
      imgSrc: ['*', 'data:', 'blob:'],
      frameSrc: ['*'],
      connectSrc: compact([
        "'self'",
        process.env.AWS_S3_UPLOAD_BUCKET_URL,
github marmelab / javascript-boilerplate / src / api / server.js View on Github external
process.on('unhandledRejection', (error, promise) => {
    console.error('unhandled promise rejection:', { // eslint-disable-line no-console
        error,
        promise,
    });
});

app.use(koaMount('/healthcare', healthcare));

// XmlHttpRequest shim for IE
app.use(xdomainRoute);

// Security headers
app.use(koaHelmet());
app.use(koaHelmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"] } }));
app.use(koaHelmet.frameguard('deny'));
app.use(koaCors({
    credentials: true,
    exposeHeaders: [
        'Authorization',
        'Content-Disposition',
        'Content-Type',
        'X-Entities',
    ],
    allowHeaders: [
        'Authorization',
        'Content-Disposition',
        'Content-Type',
        'X-Entities',
    ],
    allowMethods: [
github marmelab / javascript-boilerplate / src / api / index.js View on Github external
process.on('unhandledRejection', (error, promise) => {
    console.error('unhandled promise rejection:', { // eslint-disable-line no-console
        error,
        promise,
    });
});

app.use(koaMount('/healthcare', healthcare));

// XmlHttpRequest shim for IE
app.use(xdomainRoute);

// Security headers
app.use(koaHelmet());
app.use(koaHelmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"] } }));
app.use(koaHelmet.frameguard('deny'));
app.use(koaCors({
    credentials: true,
    exposeHeaders: [
        'Authorization',
        'Content-Disposition',
        'Content-Type',
        'X-Entities',
    ],
    allowHeaders: [
        'Authorization',
        'Content-Disposition',
        'Content-Type',
        'X-Entities',
    ],
    allowMethods: [
github howtocards / frontend / mock-server / server / index.js View on Github external
function createApp() {
  const app = new Koa()

  app.use(cors())
  app.use(compress())
  app.use(logger())

  // app.use(mount('/rpc', rpc))
  app.use(mount("/api", api))

  app.use(
    contentSecurityPolicy({
      directives: {
        defaultSrc: ["'self'"],
        styleSrc: ["'self'", "'unsafe-inline'"],
      },
    }),
  )

  app.use(notFoundMiddleware)

  return app
}
github freedomexio / rocketx-condenser / server / server.js View on Github external
useAccountRecoveryApi(app);
useOauthLogin(app);
useGeneralApi(app);
useNotificationsApi(app);

// helmet wants some things as bools and some as lists, makes config difficult.
// our config uses strings, this splits them to lists on whitespace.

if (env === 'production') {
    const helmetConfig = {
        directives: convertEntriesToArrays(config.get('helmet.directives')),
        reportOnly: config.get('helmet.reportOnly'),
        setAllHeaders: config.get('helmet.setAllHeaders')
    };
    helmetConfig.directives.reportUri = '/api/v1/csp_violation';
    app.use(helmet.contentSecurityPolicy(helmetConfig));
}

app.use(
    favicon(path.join(__dirname, '../app/assets/images/favicons/favicon.ico'))
);
app.use(isBot());
app.use(
    mount(
        '/favicons',
        staticCache(
            path.join(__dirname, '../app/assets/images/favicons'),
            cacheOpts
        )
    )
);
app.use(
github freedomexio / rocketx-condenser / src / server / server.js View on Github external
useGeneralApi(app);

// helmet wants some things as bools and some as lists, makes config difficult.
// our config uses strings, this splits them to lists on whitespace.
if (env === 'production') {
    const helmetConfig = {
        directives: convertEntriesToArrays(config.get('helmet.directives')),
        reportOnly: config.get('helmet.reportOnly'),
        setAllHeaders: config.get('helmet.setAllHeaders'),
    };
    helmetConfig.directives.reportUri = helmetConfig.directives.reportUri[0];
    if (helmetConfig.directives.reportUri === '-') {
        delete helmetConfig.directives.reportUri;
    }
    app.use(helmet.contentSecurityPolicy(helmetConfig));
}

if (env !== 'test') {
    const appRender = require('./app_render');

    // Load special posts and store them on the ctx for later use. Since
    // we're inside a generator, we can't `await` here, so we pass a promise
    // so `src/server/app_render.jsx` can `await` on it.
    app.specialPostsPromise = specialPosts();
    // refresh special posts every five minutes
    setInterval(function() {
        return new Promise(function(resolve, reject) {
            app.specialPostsPromise = specialPosts();
            resolve();
        });
    }, 300000);
github Someguy123 / understeem / server / server.js View on Github external
app.use(helmet());

app.use(mount('/static', staticCache(path.join(__dirname, '../app/assets/static'), cacheOpts)));

app.use(mount('/robots.txt', function* () {
    this.set('Cache-Control', 'public, max-age=86400000');
    this.type = 'text/plain';
    this.body = "User-agent: *\nAllow: /";
}));

useRedirects(app);
// useEnterAndConfirmEmailPages(app);

if (env === 'production') {
    app.use(helmet.contentSecurityPolicy(config.helmet));
}

// useAccountRecoveryApi(app);
// useOauthLogin(app);
// useGeneralApi(app);

app.use(favicon(path.join(__dirname, '../app/assets/images/favicons/favicon.ico')));
app.use(isBot());
app.use(mount('/favicons', staticCache(path.join(__dirname, '../app/assets/images/favicons'), cacheOpts)));
app.use(mount('/images', staticCache(path.join(__dirname, '../app/assets/images'), cacheOpts)));
// Proxy asset folder to webpack development server in development mode
if (env === 'development') {
    const PORT = parseInt(process.env.PORT, 10) + 1 || 3001;
    const proxy = require('koa-proxy')({
        host: 'http://0.0.0.0:' + PORT,
        map: (filePath) => 'assets/' + filePath