Merge pull request #761 from SISheogorath/feature/reportURI

Add config option for report URI in CSP
This commit is contained in:
Christoph (Sheogorath) Kern 2018-03-14 22:10:23 +01:00 committed by GitHub
commit 9cbe03d8a8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 12 additions and 2 deletions

View File

@ -207,6 +207,7 @@ There are some config settings you need to change in the files below.
| `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) | | `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
| `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) | | `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
| `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) | | `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations |
## Application settings `config.json` ## Application settings `config.json`

View File

@ -18,7 +18,8 @@ module.exports = {
directives: { directives: {
}, },
addDefaults: true, addDefaults: true,
upgradeInsecureRequests: 'auto' upgradeInsecureRequests: 'auto',
reportURI: undefined
}, },
protocolusessl: false, protocolusessl: false,
usecdn: true, usecdn: true,

View File

@ -15,7 +15,8 @@ module.exports = {
preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD) preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
}, },
csp: { csp: {
enable: toBooleanConfig(process.env.HMD_CSP_ENABLE) enable: toBooleanConfig(process.env.HMD_CSP_ENABLE),
reportURI: process.env.HMD_CSP_REPORTURI
}, },
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL), protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN), alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),

View File

@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () {
addInlineScriptExceptions(directives) addInlineScriptExceptions(directives)
} }
addUpgradeUnsafeRequestsOptionTo(directives) addUpgradeUnsafeRequestsOptionTo(directives)
addReportURI(directives)
return directives return directives
} }
@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) {
} }
} }
function addReportURI (directives) {
if (config.csp.reportURI) {
directives.reportUri = config.csp.reportURI
}
}
CspStrategy.addNonceToLocals = function (req, res, next) { CspStrategy.addNonceToLocals = function (req, res, next) {
res.locals.nonce = uuid.v4() res.locals.nonce = uuid.v4()
next() next()