external/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-03-09 15:40:18 +00:00
Code Issues Releases Wiki Activity

Added more security in HTTP headers

Browse source
This commit is contained in:
Ylian Saint-Hilaire 2019-09-12 15:12:40 -07:00
parent 433bff309e
commit 6dde0cce0f
4 changed files with 20 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

13
webserver.js
View file

@ -3146,7 +3146,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// If this domain has configured headers, use them.
// Example headers: { 'Strict-Transport-Security': 'max-age=360000;includeSubDomains' };
// { 'Referrer-Policy': 'no-referrer', 'x-frame-options': 'SAMEORIGIN', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src http: ws: data: 'self';script-src http: 'unsafe-inline';style-src http: 'unsafe-inline'" };
if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) { res.set(domain.httpheaders); }
if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) {
res.set(domain.httpheaders);
} else {
// Use default security headers
res.set({
"X-Frame-Options": "sameorigin",
"Referrer-Policy": "no-referrer",
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
});
}
// Detect if this is a file sharing domain, if so, just share files.
if ((domain != null) && (domain.share != null)) {