Merge remote-tracking branch 'origin/main'

2025-01-28 10:17:04 -03:00 · 2025-01-28 10:17:04 -03:00 · 7a12a49d53
commit 7a12a49d53
parent d5eb8985ea 707458298a
1 changed files with 26 additions and 8 deletions
--- a/server/src/server.ts
+++ b/server/src/server.ts
@ -37,21 +37,39 @@ app.use(helmet());
 app.use(limiter);
 app.use('/', express.static(path.join(__dirname, '../static')));

-// Navigate to the admin route in the client
-app.get('/admin', (_req, res) => {
-  res.sendFile(path.resolve(__dirname, '../static', 'index.html'));
-});
-
-// Force HTTPS redirection in production
-if (process.env.ENVIRONMENT !== 'development') {
-  app.use((req, res, next) => {
+// Force HTTPS redirection and CSP in production
+if (process.env.ENVIRONMENT === 'production') {
+  app.use((req: any, res: any, next: any) => {
    if (req.headers['x-forwarded-proto'] !== 'https') {
      return res.redirect(`https://${req.headers.host}${req.url}`);
    }
    next();
  });
+
+  app.use(
+      helmet.contentSecurityPolicy({
+        useDefaults: true,
+        directives: {
+          'script-src': ['\'self\''],
+          'img-src': ['\'self\'', 'data:'],
+          'connect-src': ['\'self\'']
+        }
+      })
+  );
+} else {
+  // Disable https preference for non-prod
+  app.use(
+      helmet({
+        contentSecurityPolicy: false,
+      }),
+  );
 }

+// Navigate to the admin route in the client
+app.get('/admin', (_req: any, res: any) => {
+  res.sendFile(path.resolve(__dirname, '../static', 'index.html'));
+});
+
 // Maximum number of party lines allowed
 const MAX_PARTY_LINES = Number(process.env.MAX_PARTY_LINES);