add Content Security Policy (#1252)

* add Content Security Policy * remove reflect-metadata on production builds to get rid of unsafe-eval * fix baseCSP usage * add SRI to CSP * add blob: to media-src * remove SRI * CSP set to reportOnly * adding data: to connect-src CSP * remove block-all-mixed-content * add report-uri support
2025-02-25 18:55:32 -06:00 · 2018-12-13 09:49:45 +01:00
parent 9ecac97be0
commit 5e755fff9d
11 changed files with 75 additions and 4 deletions
--- a/server.ts
+++ b/server.ts
@@ -53,6 +53,9 @@ if (errorMessage !== null) {
 app.set('trust proxy', CONFIG.TRUST_PROXY)

 // Security middleware
+import { baseCSP } from './server/middlewares'
+
+app.use(baseCSP)
 app.use(helmet({
  frameguard: {
    action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts