18a9c7e371
* Update `packages/` * Update examples * Update tests * Update bench * Update top level files * Fix build * trigger
31 lines
786 B
JavaScript
31 lines
786 B
JavaScript
const helmet = require('helmet')
|
|
const uuidv4 = require('uuid/v4')
|
|
|
|
module.exports = function csp(app) {
|
|
// Create a nonce on every request and make it available to other middleware
|
|
app.use((req, res, next) => {
|
|
res.locals.nonce = Buffer.from(uuidv4()).toString('base64')
|
|
next()
|
|
})
|
|
|
|
const nonce = (req, res) => `'nonce-${res.locals.nonce}'`
|
|
|
|
const scriptSrc = [nonce, "'strict-dynamic'", "'unsafe-inline'", 'https:']
|
|
|
|
// In dev we allow 'unsafe-eval', so HMR doesn't trigger the CSP
|
|
if (process.env.NODE_ENV !== 'production') {
|
|
scriptSrc.push("'unsafe-eval'")
|
|
}
|
|
|
|
app.use(
|
|
helmet({
|
|
contentSecurityPolicy: {
|
|
directives: {
|
|
baseUri: ["'none'"],
|
|
objectSrc: ["'none'"],
|
|
scriptSrc,
|
|
},
|
|
},
|
|
})
|
|
)
|
|
}
|