From a6c519e2f0274704fbf1b50c3fd0e55382df4532 Mon Sep 17 00:00:00 2001
From: Alan Friedman <d.alan.friedman@gmail.com>
Date: Sun, 19 May 2019 14:27:14 -0400
Subject: [PATCH] Security headers (#67)

* Set test header

* Add security headers

* Update CSP to allow inline scripts and images

* Add empty string as API host value

* Add API host to CSP

* Use empty string if env var missing

* Add WSS and HTTPS protocols

* Undo app JSON change

* Set all headers in single object

* Fix typos
---
 server/src/index.js | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/server/src/index.js b/server/src/index.js
index 0b4e25d..8e9a80d 100644
--- a/server/src/index.js
+++ b/server/src/index.js
@@ -77,11 +77,29 @@ router.post('/abuse/:roomId', koaBody, async (ctx) => {
 
 app.use(router.routes());
 
+const cspDefaultSrc = `'self'${process.env.API_HOST ? ` https://${process.env.API_HOST} wss://${process.env.API_HOST}` : ''}`
+
+function setStaticFileHeaders(ctx) {
+  ctx.set({
+    'strict-transport-security': 'max-age=31536000',
+    'Content-Security-Policy': `default-src ${cspDefaultSrc} 'unsafe-inline'; img-src 'self' data:;`,
+    'X-Frame-Options': 'deny',
+    'X-XSS-Protection': '1; mode=block',
+    'X-Content-Type-Options': 'nosniff',
+    'Referrer-Policy': 'no-referrer',
+    'Feature-Policy': "geolocation 'none'; vr 'none'; payment 'none'; microphone 'none'",
+  });
+}
+
 const clientDistDirectory = process.env.CLIENT_DIST_DIRECTORY;
 if (clientDistDirectory) {
-  app.use(koaStatic(clientDistDirectory));
+  app.use(async (ctx, next) => {
+    setStaticFileHeaders(ctx);
+    await koaStatic(clientDistDirectory)(ctx, next);
+  });
 
   app.use(async (ctx) => {
+    setStaticFileHeaders(ctx);
     await koaSend(ctx, 'index.html', { root: clientDistDirectory });
   })
 } else {