1
0
mirror of https://git.sr.ht/~cadence/bibliogram synced 2024-11-22 08:07:30 +00:00

Add some security headers

This commit is contained in:
Cadence Ember 2020-05-30 23:07:32 +12:00
parent ea81b945ce
commit d3c6598e50
No known key found for this signature in database
GPG Key ID: 128B99B1B74A6412
5 changed files with 24 additions and 8 deletions

3
.gitignore vendored
View File

@ -4,10 +4,13 @@ node_modules
# Personalisation stuff
/src/site/pug/privacy.pug
/src/site/pug/announcements
# Database stuff
db/**/*.db*
users_export.json
*.log
*.csv
# Test stuff
/coverage

View File

@ -0,0 +1,6 @@
const params = new URLSearchParams(window.location.search)
if (params.has("status")) {
params.delete("status")
params.delete("message")
history.replaceState(null, "", "?" + params.toString())
}

View File

@ -51,14 +51,14 @@ html
ul
-
const links = [
["https://github.com/cloudrac3r/bibliogram", "GitHub repository"],
["https://github.com/cloudrac3r/bibliogram", "GitHub repository", "noopener"],
["https://matrix.to/#/#bibliogram:matrix.org", "Discussion room on Matrix"],
["https://github.com/cloudrac3r/bibliogram/wiki/Instances", "Other Bibliogram instances"],
["https://github.com/cloudrac3r/bibliogram/wiki/Instances", "Other Bibliogram instances", "noopener"],
["https://github.com/cloudrac3r/bibliogram/projects/1?fullscreen=true", "Project roadmap"],
["https://cadence.moe/about/contact", "Contact the developer"]
]
each entry in links
li: a(href!=entry[0] target="_blank" rel="noopener noreferrer")= entry[1]
li: a(href!=entry[0] target="_blank" rel=(entry[2] || "noopener noreferrer"))= entry[1]
if constants.featured_profiles.length
.featured-profiles#featured-profiles

View File

@ -33,11 +33,7 @@ html
body.settings-page
if status && message
.status-notice(class=status)= message
script.
const params = new URLSearchParams(window.location.search)
params.delete("status")
params.delete("message")
history.replaceState(null, "", "?" + params.toString())
script(src=getStaticURL("html", "/static/js/settings_message.js") type="module")
main.settings
form(action=returnAction method="post" enctype="application/x-www-form-urlencoded")
input(type="hidden" name="csrf" value=csrf)

View File

@ -4,6 +4,11 @@ const constants = require("../lib/constants")
const passthrough = require("./passthrough")
const deniedFeatures = [
"accelerometer", "ambient-light-sensor", "battery", "camera", "display-capture", "document-domain", "geolocation", "gyroscope",
"magnetometer", "microphone", "midi", "payment", "publickey-credentials-get", "sync-xhr", "usb", "xr-spatial-tracking"
]
const pinski = new Pinski({
port: +process.env.PORT || constants.port,
ip: constants.bind_ip,
@ -12,6 +17,12 @@ const pinski = new Pinski({
exts: ["ttf", "woff2", "png", "jpg", "jpeg", "svg", "gif", "webmanifest", "ico"],
seconds: 604800
},
globalHeaders: {
"Content-Security-Policy": "default-src 'self'; frame-ancestors 'none'; block-all-mixed-content",
"Feature-Policy": deniedFeatures.map(feature => `${feature} 'none'`).join("; "),
"Referrer-Policy": "origin",
"X-Content-Type-Options": "nosniff"
}
})
subdirs("pug", async (err, dirs) => {