rigelk · October 5, 2018 01:15
diff --git a/server.ts b/server.ts
 // Security middleware
 app.use(helmet({
  frameguard: {
    action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
  },
  hsts: false,
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ['*'], // by default, not specifying default-src = '*'
      mediaSrc: ["'self'"],
      fontSrc: ["'self' data:"],
      imgSrc: ["'self' data:"],
      scriptSrc: ["'self' 'unsafe-inline'"],
      styleSrc: ["'self' 'unsafe-inline'"],
      objectSrc: ["'none'"],
      pluginTypes: ["'none'"],
      manifestSrc: ["'self'"],
      frameSrc: ["'none'"], // instead of deprecated child-src
      workerSrc: ["'self'"], // instead of deprecated child-src
      upgradeInsecureRequests: true,
      reportUri: '<your_report_url'
    },
    reportOnly: true,
    browserSniff: false // assumes a modern browser, but allows CDN in front
  },
  referrerPolicy: {
    policy: 'strict-origin-when-cross-origin'
  }
 }))
	// Security middleware
	app.use(helmet({
	frameguard: {
	action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
	},
	hsts: false,
	contentSecurityPolicy: {
	directives: {
	defaultSrc: [''], // by default, not specifying default-src = ''
	mediaSrc: ["'self'"],
	fontSrc: ["'self' data:"],
	imgSrc: ["'self' data:"],
	scriptSrc: ["'self' 'unsafe-inline'"],
	styleSrc: ["'self' 'unsafe-inline'"],
	objectSrc: ["'none'"],
	pluginTypes: ["'none'"],
	manifestSrc: ["'self'"],
	frameSrc: ["'none'"], // instead of deprecated child-src
	workerSrc: ["'self'"], // instead of deprecated child-src
	upgradeInsecureRequests: true,
	reportUri: '<your_report_url'
	},
	reportOnly: true,
	browserSniff: false // assumes a modern browser, but allows CDN in front
	},
	referrerPolicy: {
	policy: 'strict-origin-when-cross-origin'
	}
	}))