Skip to content
This repository has been archived by the owner on Nov 30, 2021. It is now read-only.

Commit

Permalink
Add security headers
Browse files Browse the repository at this point in the history
This sets the following headers:
- Content-Security-Policy
- X-Frame-Options
- X-XSS-Protection
  • Loading branch information
marcofucci committed Aug 23, 2016
1 parent 0db2d71 commit 64f3402
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 0 deletions.
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
"grunt-nodemon": "0.3.0",
"grunt-sass": "1.1.0",
"grunt-text-replace": "0.3.12",
"helmet": "^2.1.2",
"minimist": "0.0.8",
"node-sass": "3.4.2",
"readdir": "0.0.6",
Expand Down
32 changes: 32 additions & 0 deletions server.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
var path = require('path'),
express = require('express'),
helmet = require('helmet'),
swig = require('swig'),
swig_extras = require('swig-extras'),
session = require('express-session'),
Expand Down Expand Up @@ -55,6 +56,37 @@ app.use(session({
secret: 'this is actually public'
}));

if (env !== 'development') {
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: [
'\'self\''
],
scriptSrc: [
'\'self\'',
'\'unsafe-inline\''
],
imgSrc: [
'\'self\'',
'data:'
],
styleSrc: [
'\'self\'',
'\'unsafe-inline\''
],
connectSrc: [
'\'self\''
]
}
}));
app.use(helmet.xssFilter());
app.use(helmet.frameguard({
action: 'deny',
}));
app.use(helmet.hidePoweredBy());
app.use(helmet.ieNoOpen());
}

// give views/layouts direct access to session data
app.use(function(req, res, next){
res.locals.session = req.session;
Expand Down

0 comments on commit 64f3402

Please sign in to comment.