Merge pull request #174 from data-intuitive/develop

Develop
data-intuitive · Jan 5, 2023 · bba5671 · bba5671
2 parents f4c445f + 4d3ebfc
commit bba5671
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # CHANGELOG
 
+## Version 5.4.3
+
+### Other
+
+- Set the contentSecurityPolicy option in helmet to improve cross-site scripting security
+
+### Deployment changes
+
+- `serverConfiguration.js` should contain valid information matching the deployment infrastructure
+
 ## Version 5.4.2
 
 ## Minor changes

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "LuciusWeb",
-    "version": "5.4.2",
+    "version": "5.4.3",
     "description": "Web interface for ComPass aka Lucius",
     "repository": {
         "type": "git",

diff --git a/server.js b/server.js
@@ -1,3 +1,6 @@
+// Own module to contain deployment-specific server.js information
+const serverConfiguration = require("./serverConfiguration.js");
+
 const path = require("path");
 const express = require("express");
 const helmet = require("helmet");
@@ -10,7 +13,7 @@ const app = express();
 app.use(express.static(DIST_DIR));
 
 // Tweak rules so that it allows off-site logo & sourire images
-// app.use(helmet.contentSecurityPolicy());
+app.use(helmet.contentSecurityPolicy( serverConfiguration.contentSecurityPolicy ));
 // app.use(helmet.crossOriginEmbedderPolicy());
 // app.use(helmet.crossOriginOpenerPolicy());
 app.use(helmet.crossOriginResourcePolicy({ policy: "cross-origin" }));

diff --git a/serverConfiguration.js b/serverConfiguration.js
@@ -0,0 +1,22 @@
+"use strict"
+
+const serverConfiguration = {
+
+// Sets the content Security Policy in helmet
+// Basically, define which sources are allowed to come from which locations
+// This is a default value that works with a local host, Spark Jobserver and a Sourire instance
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+      connectSrc: ["localhost:3080", "localhost:8090"],
+      styleSrc: ["'self'", "'unsafe-inline'", "fonts.googleapis.com"],
+      imgSrc: ["'self'", "localhost:9999", "www.data-intuitive.com"],
+    }
+  }
+}
+
+exports = serverConfiguration
+module.exports = serverConfiguration
+
+exports["default"] = serverConfiguration