mozilla
/
network-pulse
зеркало из https://github.com/mozilla/network-pulse.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
network-pulse/js/security-headers.js

42 строки
731 B
JavaScript
Исходник Обычный вид История

moved security headers to its own file
2017-02-15 01:32:22 +03:00
import env from "../config/env.generated.json";
export default {
directives: {
defaultSrc: [
`'none'`
],
scriptSrc: [
`'self'`,
updated script-src and img-src directives
2017-02-24 10:35:44 +03:00
`'unsafe-inline'`,
`https://*.google-analytics.com`
moved security headers to its own file
2017-02-15 01:32:22 +03:00
],
fontSrc: [
`'self'`,
`https://code.cdn.mozilla.net`
],
styleSrc: [
`'self'`,
`'unsafe-inline'`,
`https://code.cdn.mozilla.net`
],
imgSrc: [
`'self'`,
`data:`,
updated script-src and img-src directives
2017-02-24 10:35:44 +03:00
`https:`,
`http:`
moved security headers to its own file
2017-02-15 01:32:22 +03:00
],
connectSrc: [
`'self'`,
env.PULSE_API || `https://network-pulse-api-staging.herokuapp.com/`
1. Fix https redirect that was being shorted by express.static 2. disable 'x-powered-by' header 3. fix hsts header 4. modify CSP to explicitly forbid framing 5. Add helmet.frameguard
2017-03-07 18:44:53 +03:00
],
childSrc: [
`'none'`
],
frameAncestors: [
`'none'`
moved security headers to its own file
2017-02-15 01:32:22 +03:00
]
},
reportOnly: false,
browserSniff: false
};