network-pulse/js/security-headers.js

import url from 'url';
import env from "../config/env.generated.json";

export default {
  directives: {
    defaultSrc: [
      `'none'`
    ],
    scriptSrc: [
      `'self'`,
      `https://*.google-analytics.com`,
      `https://platform.twitter.com/widgets.js`
    ],
    fontSrc: [
      `'self'`,
      `https://code.cdn.mozilla.net`
    ],
    styleSrc: [
      `'self'`,
      `'unsafe-inline'`,
      `https://code.cdn.mozilla.net`
    ],
    imgSrc: [
      `'self'`,
      `data:`,
      `https:`,
      `http:`
    ],
    connectSrc: [
      `'self'`,
      url.parse(env.PULSE_API).host || `https://network-pulse-api-staging.herokuapp.com/`
    ],
    childSrc: [
      `'none'`
    ],
    frameAncestors: [
      `'none'`
    ],
    manifestSrc: [
      `'self'`
    ]
  },
  reportOnly: false,
  browserSniff: false
};
Moderation page (#575) * Fixes #541 - Moderation page * code cleanup * changed how moderation page shows and works by default * code improvement * thumbnails on moderation page should not be hyperlinks & show moderation navlink * extracted ModerationPanel and Details to their own files * changed border style * thinner border 2017-07-12 01:24:10 +03:00			`import url from 'url';`
moved security headers to its own file 2017-02-15 01:32:22 +03:00			`import env from "../config/env.generated.json";`

			`export default {`
			`directives: {`
			`defaultSrc: [`
			`'none'`
			`],`
			`scriptSrc: [`
			`'self'`,
Fixes #159 - added Twitter share button 2017-05-16 22:41:29 +03:00			`https://*.google-analytics.com`,
			`https://platform.twitter.com/widgets.js`
moved security headers to its own file 2017-02-15 01:32:22 +03:00			`],`
			`fontSrc: [`
			`'self'`,
			`https://code.cdn.mozilla.net`
			`],`
			`styleSrc: [`
			`'self'`,
			`'unsafe-inline'`,
			`https://code.cdn.mozilla.net`
			`],`
			`imgSrc: [`
			`'self'`,
			`data:`,
updated script-src and img-src directives 2017-02-24 10:35:44 +03:00			`https:`,
			`http:`
moved security headers to its own file 2017-02-15 01:32:22 +03:00			`],`
			`connectSrc: [`
			`'self'`,
Moderation page (#575) * Fixes #541 - Moderation page * code cleanup * changed how moderation page shows and works by default * code improvement * thumbnails on moderation page should not be hyperlinks & show moderation navlink * extracted ModerationPanel and Details to their own files * changed border style * thinner border 2017-07-12 01:24:10 +03:00			url.parse(env.PULSE_API).host \|\| `https://network-pulse-api-staging.herokuapp.com/`
1. Fix https redirect that was being shorted by express.static 2. disable 'x-powered-by' header 3. fix hsts header 4. modify CSP to explicitly forbid framing 5. Add helmet.frameguard 2017-03-07 18:44:53 +03:00			`],`
			`childSrc: [`
			`'none'`
			`],`
			`frameAncestors: [`
			`'none'`
Fixes #462 - allow manifest.json to load (#463) 2017-04-06 19:25:54 +03:00			`],`
			`manifestSrc: [`
			`'self'`
moved security headers to its own file 2017-02-15 01:32:22 +03:00			`]`
			`},`
			`reportOnly: false,`
			`browserSniff: false`
			`};`