react-native/local-cli/server/middleware/getSecurityHeadersMiddlewar...

/**
 * Copyright (c) Facebook, Inc. and its affiliates.
 *
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 *
 * @strict
 * @format
 */

module.exports = function(req, res, next) {
  const address = req.client.server.address();

  // Block any cross origin request.
  if (
    req.headers.origin &&
    req.headers.origin !== `http://localhost:${address.port}`
  ) {
    next(new Error('Unauthorized'));
    return;
  }

  // Block MIME-type sniffing.
  res.setHeader('X-Content-Type-Options', 'nosniff');

  next();
};
Prevent cross origin requests to development server Summary: This diff adds a middleware to the RN development server to prevent processing requests coming from a third-party website. The way we choose to do it is to block any request that has an origin header and it's different than localhost. This will still allow simulators to work properly while blocking potential external websites to do malign CORS requests. This is just a first quick measure to block a potential attack vector while we implement full authentication in the RN development server Reviewed By: mjesun Differential Revision: D9238674 fbshipit-source-id: b7bdc40dabc2f4d92f5ac84515f93b89efa4e833 2018-08-22 16:52:05 +00:00			`/**`
Update copyright headers to yearless format Summary: This change drops the year from the copyright headers and the LICENSE file. Reviewed By: yungsters Differential Revision: D9727774 fbshipit-source-id: df4fc1e4390733fe774b1a160dd41b4a3d83302a 2018-09-11 22:27:47 +00:00			`* Copyright (c) Facebook, Inc. and its affiliates.`
Prevent cross origin requests to development server Summary: This diff adds a middleware to the RN development server to prevent processing requests coming from a third-party website. The way we choose to do it is to block any request that has an origin header and it's different than localhost. This will still allow simulators to work properly while blocking potential external websites to do malign CORS requests. This is just a first quick measure to block a potential attack vector while we implement full authentication in the RN development server Reviewed By: mjesun Differential Revision: D9238674 fbshipit-source-id: b7bdc40dabc2f4d92f5ac84515f93b89efa4e833 2018-08-22 16:52:05 +00:00			`*`
			`* This source code is licensed under the MIT license found in the`
			`* LICENSE file in the root directory of this source tree.`
			`*`
			`* @strict`
			`* @format`
			`*/`

			`module.exports = function(req, res, next) {`
			`const address = req.client.server.address();`

			`// Block any cross origin request.`
			`if (`
			`req.headers.origin &&`
			req.headers.origin !== `http://localhost:${address.port}`
			`) {`
			`next(new Error('Unauthorized'));`
			`return;`
			`}`

			`// Block MIME-type sniffing.`
			`res.setHeader('X-Content-Type-Options', 'nosniff');`

			`next();`
			`};`