Commit 33bba392 authored by Michael Henretty's avatar Michael Henretty
Browse files

add CSP headers to both deployment and local server

parent bbafb616
......@@ -77,7 +77,7 @@ apache::vhost { $project_name:
'set X-Frame-Options "DENY"',
'set Strict-Transport-Security "max-age=31536000"',
# media-src blob: is required for recording audio.
'set Content-Security-Policy "default-src \'self\'; img-src \'self\' https://www.google-analytics.com; media-src blob: https://*.amazonaws.com; script-src \'self\' \'unsafe-eval\' https://www.google-analytics.com/analytics.js"'
'set Content-Security-Policy "default-src \'none\'; style-src \'self\'; img-src \'self\' www.google-analytics.com; media-src blob: https://*.amazonaws.com; script-src \'self\' https://www.google-analytics.com/analytics.js; font-src \'self\'; connect-src \'self\'"'
],
rewrites => [
{
......
......@@ -21,7 +21,13 @@ export default class Server {
constructor() {
this.staticServer = new nodeStatic.Server(
path.join(__dirname, CLIENT_PATH),
{ cache: false }
{
cache: false,
headers: {
'Content-Security-Policy':
"default-src 'none'; style-src 'self'; img-src 'self' www.google-analytics.com; media-src blob: https://*.amazonaws.com; script-src 'self' https://www.google-analytics.com/analytics.js; font-src 'self'; connect-src 'self'",
},
}
);
this.api = new API();
this.clip = new Clip();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment