diff --git a/package.json b/package.json index fa7ef3b..11cbc1b 100644 --- a/package.json +++ b/package.json @@ -18,6 +18,7 @@ "grunt-nodemon": "0.3.0", "grunt-sass": "1.1.0", "grunt-text-replace": "0.3.12", + "helmet": "^2.1.2", "minimist": "0.0.8", "node-sass": "3.4.2", "readdir": "0.0.6", diff --git a/server.js b/server.js index b83a80a..de87f9b 100644 --- a/server.js +++ b/server.js @@ -1,5 +1,6 @@ var path = require('path'), express = require('express'), + helmet = require('helmet'), swig = require('swig'), swig_extras = require('swig-extras'), session = require('express-session'), @@ -55,6 +56,37 @@ app.use(session({ secret: 'this is actually public' })); +if (env !== 'development') { + app.use(helmet.contentSecurityPolicy({ + directives: { + defaultSrc: [ + '\'self\'' + ], + scriptSrc: [ + '\'self\'', + '\'unsafe-inline\'' + ], + imgSrc: [ + '\'self\'', + 'data:' + ], + styleSrc: [ + '\'self\'', + '\'unsafe-inline\'' + ], + connectSrc: [ + '\'self\'' + ] + } + })); + app.use(helmet.xssFilter()); + app.use(helmet.frameguard({ + action: 'deny', + })); + app.use(helmet.hidePoweredBy()); + app.use(helmet.ieNoOpen()); +} + // give views/layouts direct access to session data app.use(function(req, res, next){ res.locals.session = req.session;