freeCodeCamp/server/middlewares/csp.js

import helmet from 'helmet';

const trusted = [
  "'self'"
];

export default function csp() {
  return helmet.csp({
    defaultSrc: trusted,
    scriptSrc: [
      "'unsafe-eval'",
      "'unsafe-inline'",
      '*.google-analytics.com',
      '*.gstatic.com',
      'https://*.cloudflare.com',
      '*.cloudflare.com',
      'https://*.gitter.im',
      'https://*.cdnjs.com',
      '*.cdnjs.com',
      'https://*.jsdelivr.com',
      '*.jsdelivr.com',
      '*.twimg.com',
      'https://*.twimg.com'
    ].concat(trusted),
    connectSrc: [
      'vimeo.com'
    ].concat(trusted),
    styleSrc: [
      "'unsafe-inline'",
      '*.gstatic.com',
      '*.googleapis.com',
      '*.bootstrapcdn.com',
      'https://*.bootstrapcdn.com',
      '*.cloudflare.com',
      'https://*.cloudflare.com'
    ].concat(trusted),
    fontSrc: [
      '*.cloudflare.com',
      'https://*.cloudflare.com',
      '*.bootstrapcdn.com',
      '*.googleapis.com',
      '*.gstatic.com',
      'https://*.bootstrapcdn.com'
    ].concat(trusted),
    imgSrc: [
      // allow all input since we have user submitted images for
      // public profile
      '*',
      'data:'
    ],
    mediaSrc: [
      '*.bitly.com',
      '*.amazonaws.com',
      '*.twitter.com'
    ].concat(trusted),
    frameSrc: [
      '*.gitter.im',
      '*.gitter.im https:',
      '*.vimeo.com',
      '*.twitter.com',
      '*.ghbtns.com',
      '*.freecatphotoapp.com'
    ].concat(trusted),
    // set to true if you only want to report errors
    reportOnly: false,
    // set to true if you want to set all headers
    setAllHeaders: false,
    // set to true if you want to force buggy CSP in Safari 5
    safari5: false
  });
}
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`import helmet from 'helmet';`

			`const trusted = [`
Reduce header size This is needed to move to cloudFlare 2015-12-07 15:30:54 -08:00			`"'self'"`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`];`

			`export default function csp() {`
			`return helmet.csp({`
			`defaultSrc: trusted,`
			`scriptSrc: [`
Reduce header size This is needed to move to cloudFlare 2015-12-07 15:30:54 -08:00			`"'unsafe-eval'",`
			`"'unsafe-inline'",`
			`'*.google-analytics.com',`
			`'*.gstatic.com',`
			`'https://*.cloudflare.com',`
			`'*.cloudflare.com',`
Add chat to challenges! 2015-10-08 16:42:24 -07:00			`'https://*.gitter.im',`
Reduce header size This is needed to move to cloudFlare 2015-12-07 15:30:54 -08:00			`'https://*.cdnjs.com',`
			`'*.cdnjs.com',`
			`'https://*.jsdelivr.com',`
			`'*.jsdelivr.com',`
			`'*.twimg.com',`
			`'https://*.twimg.com'`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`].concat(trusted),`
Add freecatphotoapp to csp 2015-12-09 11:02:06 -08:00			`connectSrc: [`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`'vimeo.com'`
			`].concat(trusted),`
			`styleSrc: [`
Reduce header size This is needed to move to cloudFlare 2015-12-07 15:30:54 -08:00			`"'unsafe-inline'",`
			`'*.gstatic.com',`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`'*.googleapis.com',`
Reduce header size This is needed to move to cloudFlare 2015-12-07 15:30:54 -08:00			`'*.bootstrapcdn.com',`
			`'https://*.bootstrapcdn.com',`
			`'*.cloudflare.com',`
			`'https://*.cloudflare.com'`
			`].concat(trusted),`
			`fontSrc: [`
			`'*.cloudflare.com',`
			`'https://*.cloudflare.com',`
			`'*.bootstrapcdn.com',`
			`'*.googleapis.com',`
			`'*.gstatic.com',`
			`'https://*.bootstrapcdn.com'`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`].concat(trusted),`
			`imgSrc: [`
			`// allow all input since we have user submitted images for`
			`// public profile`
Hot fix for chat close button 2015-10-16 20:23:24 -07:00			`'*',`
			`'data:'`
Reduce header size This is needed to move to cloudFlare 2015-12-07 15:30:54 -08:00			`],`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`mediaSrc: [`
Reduce header size This is needed to move to cloudFlare 2015-12-07 15:30:54 -08:00			`'*.bitly.com',`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`'*.amazonaws.com',`
			`'*.twitter.com'`
			`].concat(trusted),`
			`frameSrc: [`
			`'*.gitter.im',`
			`'*.gitter.im https:',`
			`'*.vimeo.com',`
			`'*.twitter.com',`
Add freecatphotoapp to csp 2015-12-09 11:02:06 -08:00			`'*.ghbtns.com',`
			`'*.freecatphotoapp.com'`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`].concat(trusted),`
			`// set to true if you only want to report errors`
			`reportOnly: false,`
			`// set to true if you want to set all headers`
			`setAllHeaders: false,`
			`// set to true if you want to force buggy CSP in Safari 5`
			`safari5: false`
			`});`
			`}`