Commit 33bba392 authored by Michael Henretty's avatar Michael Henretty
Browse files

add CSP headers to both deployment and local server

parent bbafb616
...@@ -77,7 +77,7 @@ apache::vhost { $project_name: ...@@ -77,7 +77,7 @@ apache::vhost { $project_name:
'set X-Frame-Options "DENY"', 'set X-Frame-Options "DENY"',
'set Strict-Transport-Security "max-age=31536000"', 'set Strict-Transport-Security "max-age=31536000"',
# media-src blob: is required for recording audio. # media-src blob: is required for recording audio.
'set Content-Security-Policy "default-src \'self\'; img-src \'self\' https://www.google-analytics.com; media-src blob: https://*.amazonaws.com; script-src \'self\' \'unsafe-eval\' https://www.google-analytics.com/analytics.js"' 'set Content-Security-Policy "default-src \'none\'; style-src \'self\'; img-src \'self\' www.google-analytics.com; media-src blob: https://*.amazonaws.com; script-src \'self\' https://www.google-analytics.com/analytics.js; font-src \'self\'; connect-src \'self\'"'
], ],
rewrites => [ rewrites => [
{ {
......
...@@ -21,7 +21,13 @@ export default class Server { ...@@ -21,7 +21,13 @@ export default class Server {
constructor() { constructor() {
this.staticServer = new nodeStatic.Server( this.staticServer = new nodeStatic.Server(
path.join(__dirname, CLIENT_PATH), path.join(__dirname, CLIENT_PATH),
{ cache: false } {
cache: false,
headers: {
'Content-Security-Policy':
"default-src 'none'; style-src 'self'; img-src 'self' www.google-analytics.com; media-src blob: https://*.amazonaws.com; script-src 'self' https://www.google-analytics.com/analytics.js; font-src 'self'; connect-src 'self'",
},
}
); );
this.api = new API(); this.api = new API();
this.clip = new Clip(); this.clip = new Clip();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment