From d3c6598e5008b043cca156ca9eba87a523b18c65 Mon Sep 17 00:00:00 2001 From: Cadence Ember Date: Sat, 30 May 2020 23:07:32 +1200 Subject: [PATCH] Add some security headers --- .gitignore | 3 +++ src/site/html/static/js/settings_message.js | 6 ++++++ src/site/pug/home.pug | 6 +++--- src/site/pug/settings.pug | 6 +----- src/site/server.js | 11 +++++++++++ 5 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 src/site/html/static/js/settings_message.js diff --git a/.gitignore b/.gitignore index 3eaf1d2..e559e2c 100644 --- a/.gitignore +++ b/.gitignore @@ -4,10 +4,13 @@ node_modules # Personalisation stuff /src/site/pug/privacy.pug +/src/site/pug/announcements # Database stuff db/**/*.db* users_export.json +*.log +*.csv # Test stuff /coverage diff --git a/src/site/html/static/js/settings_message.js b/src/site/html/static/js/settings_message.js new file mode 100644 index 0000000..4173217 --- /dev/null +++ b/src/site/html/static/js/settings_message.js @@ -0,0 +1,6 @@ +const params = new URLSearchParams(window.location.search) +if (params.has("status")) { + params.delete("status") + params.delete("message") + history.replaceState(null, "", "?" + params.toString()) +} diff --git a/src/site/pug/home.pug b/src/site/pug/home.pug index 84047b3..fde8a0c 100644 --- a/src/site/pug/home.pug +++ b/src/site/pug/home.pug @@ -51,14 +51,14 @@ html ul - const links = [ - ["https://github.com/cloudrac3r/bibliogram", "GitHub repository"], + ["https://github.com/cloudrac3r/bibliogram", "GitHub repository", "noopener"], ["https://matrix.to/#/#bibliogram:matrix.org", "Discussion room on Matrix"], - ["https://github.com/cloudrac3r/bibliogram/wiki/Instances", "Other Bibliogram instances"], + ["https://github.com/cloudrac3r/bibliogram/wiki/Instances", "Other Bibliogram instances", "noopener"], ["https://github.com/cloudrac3r/bibliogram/projects/1?fullscreen=true", "Project roadmap"], ["https://cadence.moe/about/contact", "Contact the developer"] ] each entry in links - li: a(href!=entry[0] target="_blank" rel="noopener noreferrer")= entry[1] + li: a(href!=entry[0] target="_blank" rel=(entry[2] || "noopener noreferrer"))= entry[1] if constants.featured_profiles.length .featured-profiles#featured-profiles diff --git a/src/site/pug/settings.pug b/src/site/pug/settings.pug index e2b50e6..6bb9f7a 100644 --- a/src/site/pug/settings.pug +++ b/src/site/pug/settings.pug @@ -33,11 +33,7 @@ html body.settings-page if status && message .status-notice(class=status)= message - script. - const params = new URLSearchParams(window.location.search) - params.delete("status") - params.delete("message") - history.replaceState(null, "", "?" + params.toString()) + script(src=getStaticURL("html", "/static/js/settings_message.js") type="module") main.settings form(action=returnAction method="post" enctype="application/x-www-form-urlencoded") input(type="hidden" name="csrf" value=csrf) diff --git a/src/site/server.js b/src/site/server.js index b340e43..2eb1f5d 100644 --- a/src/site/server.js +++ b/src/site/server.js @@ -4,6 +4,11 @@ const constants = require("../lib/constants") const passthrough = require("./passthrough") +const deniedFeatures = [ + "accelerometer", "ambient-light-sensor", "battery", "camera", "display-capture", "document-domain", "geolocation", "gyroscope", + "magnetometer", "microphone", "midi", "payment", "publickey-credentials-get", "sync-xhr", "usb", "xr-spatial-tracking" +] + const pinski = new Pinski({ port: +process.env.PORT || constants.port, ip: constants.bind_ip, @@ -12,6 +17,12 @@ const pinski = new Pinski({ exts: ["ttf", "woff2", "png", "jpg", "jpeg", "svg", "gif", "webmanifest", "ico"], seconds: 604800 }, + globalHeaders: { + "Content-Security-Policy": "default-src 'self'; frame-ancestors 'none'; block-all-mixed-content", + "Feature-Policy": deniedFeatures.map(feature => `${feature} 'none'`).join("; "), + "Referrer-Policy": "origin", + "X-Content-Type-Options": "nosniff" + } }) subdirs("pug", async (err, dirs) => {