freeCodeCamp/server/middlewares/csp.js

import helmet from 'helmet';

let trusted = [
  "'self'"
];

if (process.env.NODE_ENV !== 'production') {
  trusted.push('ws://localhost:3001');
}

export default function csp() {
  return helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: trusted,
      scriptSrc: [
        "'unsafe-eval'",
        "'unsafe-inline'",
        '*.google-analytics.com',
        '*.gstatic.com',
        'https://*.cloudflare.com',
        '*.cloudflare.com',
        'https://*.gitter.im',
        'https://*.cdnjs.com',
        '*.cdnjs.com',
        'https://*.jsdelivr.com',
        '*.jsdelivr.com',
        '*.twimg.com',
        'https://*.twimg.com',
        '*.youtube.com',
        '*.ytimg.com'
      ].concat(trusted),
      styleSrc: [
        "'unsafe-inline'",
        '*.gstatic.com',
        '*.googleapis.com',
        '*.bootstrapcdn.com',
        'https://*.bootstrapcdn.com',
        '*.cloudflare.com',
        'https://*.cloudflare.com'
      ].concat(trusted),
      fontSrc: [
        '*.cloudflare.com',
        'https://*.cloudflare.com',
        '*.bootstrapcdn.com',
        '*.googleapis.com',
        '*.gstatic.com',
        'https://*.bootstrapcdn.com'
      ].concat(trusted),
      imgSrc: [
        // allow all input since we have user submitted images for
        // public profile
        '*',
        'data:'
      ],
      mediaSrc: [
        '*.bitly.com',
        '*.amazonaws.com',
        '*.twitter.com'
      ].concat(trusted),
      frameSrc: [
        '*.gitter.im',
        '*.gitter.im https:',
        '*.youtube.com',
        '*.twitter.com',
        '*.ghbtns.com',
        '*.freecatphotoapp.com',
        'freecodecamp.github.io'
      ].concat(trusted)
    },
    // set to true if you only want to report errors
    reportOnly: false,
    // set to true if you want to set all headers
    setAllHeaders: false,
    // set to true if you want to force buggy CSP in Safari 5
    safari5: false
  });
}
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`import helmet from 'helmet';`

Make structure changes to hikes 2015-12-22 19:33:25 -08:00			`let trusted = [`
Reduce header size This is needed to move to cloudFlare 2015-12-07 15:30:54 -08:00			`"'self'"`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`];`

Make structure changes to hikes 2015-12-22 19:33:25 -08:00			`if (process.env.NODE_ENV !== 'production') {`
			`trusted.push('ws://localhost:3001');`
			`}`

use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`export default function csp() {`
helmet.csp -> helmet.contentSecurityPolicy Also updated frameguard 2016-05-03 11:32:28 -07:00			`return helmet.contentSecurityPolicy({`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`directives: {`
			`defaultSrc: trusted,`
			`scriptSrc: [`
			`"'unsafe-eval'",`
			`"'unsafe-inline'",`
			`'*.google-analytics.com',`
			`'*.gstatic.com',`
			`'https://*.cloudflare.com',`
			`'*.cloudflare.com',`
			`'https://*.gitter.im',`
			`'https://*.cdnjs.com',`
			`'*.cdnjs.com',`
			`'https://*.jsdelivr.com',`
			`'*.jsdelivr.com',`
			`'*.twimg.com',`
			`'https://*.twimg.com',`
Switch react lecture component to youtube 2016-05-04 10:30:47 -07:00			`'*.youtube.com',`
			`'*.ytimg.com'`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`].concat(trusted),`
			`styleSrc: [`
			`"'unsafe-inline'",`
			`'*.gstatic.com',`
			`'*.googleapis.com',`
			`'*.bootstrapcdn.com',`
			`'https://*.bootstrapcdn.com',`
			`'*.cloudflare.com',`
			`'https://*.cloudflare.com'`
			`].concat(trusted),`
			`fontSrc: [`
			`'*.cloudflare.com',`
			`'https://*.cloudflare.com',`
			`'*.bootstrapcdn.com',`
			`'*.googleapis.com',`
			`'*.gstatic.com',`
			`'https://*.bootstrapcdn.com'`
			`].concat(trusted),`
			`imgSrc: [`
			`// allow all input since we have user submitted images for`
			`// public profile`
			`'*',`
			`'data:'`
			`],`
			`mediaSrc: [`
			`'*.bitly.com',`
			`'*.amazonaws.com',`
			`'*.twitter.com'`
			`].concat(trusted),`
			`frameSrc: [`
			`'*.gitter.im',`
			`'*.gitter.im https:',`
Update CSP to remove vimeo and add youtube 2016-04-19 00:23:27 -07:00			`'*.youtube.com',`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`'*.twitter.com',`
			`'*.ghbtns.com',`
adding wiki as detached and integrating into .less folder 2016-02-09 23:22:42 -05:00			`'*.freecatphotoapp.com',`
Lint pass 2016-02-13 21:26:59 -05:00			`'freecodecamp.github.io'`
chore(package): update helmet to version 1.1.0 http://greenkeeper.io/ 2016-01-12 21:45:15 -08:00			`].concat(trusted)`
			`},`
use (LMP)loopback middleware phases bump loopback-component-passport which uses LMP move custom middlewares to middlewares directory 2015-08-04 01:25:34 -07:00			`// set to true if you only want to report errors`
			`reportOnly: false,`
			`// set to true if you want to set all headers`
			`setAllHeaders: false,`
			`// set to true if you want to force buggy CSP in Safari 5`
			`safari5: false`
			`});`
			`}`