unleash.unleash/src/lib/middleware/secure-headers.ts

import helmet from 'helmet';
import { RequestHandler } from 'express';
import { IUnleashConfig } from '../types';
import { hoursToSeconds } from 'date-fns';

const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => {
    if (config.secureHeaders) {
        return helmet({
            hsts: {
                maxAge: hoursToSeconds(24 * 365 * 2), // 2 non-leap years
                includeSubDomains: true,
                preload: true,
            },
            contentSecurityPolicy: {
                directives: {
                    defaultSrc: [
                        "'self'",
                        'cdn.getunleash.io',
                        'gravatar.com',
                        ...config.additionalCspAllowedDomains.defaultSrc,
                    ],
                    fontSrc: [
                        "'self'",
                        'cdn.getunleash.io',
                        'fonts.googleapis.com',
                        'fonts.gstatic.com',
                        ...config.additionalCspAllowedDomains.fontSrc,
                    ],
                    styleSrc: [
                        "'self'",
                        "'unsafe-inline'",
                        'cdn.getunleash.io',
                        'fonts.googleapis.com',
                        'fonts.gstatic.com',
                        'data:',
                        ...config.additionalCspAllowedDomains.styleSrc,
                    ],
                    scriptSrc: [
                        "'self'",
                        'cdn.getunleash.io',
                        ...config.additionalCspAllowedDomains.scriptSrc,
                    ],
                    imgSrc: [
                        "'self'",
                        'data:',
                        'cdn.getunleash.io',
                        'gravatar.com',
                        ...config.additionalCspAllowedDomains.imgSrc,
                    ],
                },
            },
            crossOriginEmbedderPolicy: false,
        });
    }
    return (req, res, next) => {
        next();
    };
};

export default secureHeaders;
fix: Stores as typescript and with interfaces. (#902) Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-08-12 15:04:37 +02:00			`import helmet from 'helmet';`
			`import { RequestHandler } from 'express';`
Define exports for enterprise (#2435) <!-- Thanks for creating a PR! To make it easier for reviewers and everyone else to understand what your changes relate to, please add some relevant content to the headings below. Feel free to ignore or delete sections that you don't think are relevant. Thank you! ❤️ --> This PR sets up exports so that we can import in enterprise with just "unleash-server". This will free us to refactor unleash internals without breaking enterprise ## About the changes <!-- Describe the changes introduced. What are they and why are they being introduced? Feel free to also add screenshots or steps to view the changes if they're visual. --> <!-- Does it close an issue? Multiple? --> Closes # <!-- (For internal contributors): Does it relate to an issue on public roadmap? --> <!-- Relates to [roadmap](https://github.com/orgs/Unleash/projects/10) item: # --> ### Important files <!-- PRs can contain a lot of changes, but not all changes are equally important. Where should a reviewer start looking to get an overview of the changes? Are any files particularly important? --> ## Discussion points <!-- Anything about the PR you'd like to discuss before it gets merged? Got any questions or doubts? --> 2022-11-17 12:02:40 +01:00			`import { IUnleashConfig } from '../types';`
fix: be explicit when specifying time & replace moment with date-fns (#1072) 2021-11-02 15:13:46 +01:00			`import { hoursToSeconds } from 'date-fns';`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00
fix: Stores as typescript and with interfaces. (#902) Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-08-12 15:04:37 +02:00			`const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => {`
fix: add secureHeaders option for HSTS 2020-10-01 21:47:40 +02:00			`if (config.secureHeaders) {`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`return helmet({`
fix: update helmet config 2020-09-18 11:30:30 +02:00			`hsts: {`
fix: be explicit when specifying time & replace moment with date-fns (#1072) 2021-11-02 15:13:46 +01:00			`maxAge: hoursToSeconds(24 * 365 * 2), // 2 non-leap years`
fix: update helmet config 2020-09-18 11:30:30 +02:00			`includeSubDomains: true,`
			`preload: true,`
			`},`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`contentSecurityPolicy: {`
			`directives: {`
feat: Allow extra CSP domains (#1610) * feat: Allow extra CSP domains Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> * fix: eslint: * fix: allow partial csp domains * fix: add option and config type * fix: snapshot Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> 2022-05-31 11:32:15 +02:00			`defaultSrc: [`
			`"'self'",`
			`'cdn.getunleash.io',`
			`'gravatar.com',`
			`...config.additionalCspAllowedDomains.defaultSrc,`
			`],`
fix: add secureHeaders option for HSTS 2020-10-01 21:47:40 +02:00			`fontSrc: [`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`"'self'",`
fix: allow static assets from cdn.getunleash.io 2022-01-06 21:08:16 +01:00			`'cdn.getunleash.io',`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`'fonts.googleapis.com',`
			`'fonts.gstatic.com',`
feat: Allow extra CSP domains (#1610) * feat: Allow extra CSP domains Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> * fix: eslint: * fix: allow partial csp domains * fix: add option and config type * fix: snapshot Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> 2022-05-31 11:32:15 +02:00			`...config.additionalCspAllowedDomains.fontSrc,`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`],`
fix: lax helmet csp config for styles. Required to support react-selct, see https://github.com/JedWatson/react-select/issues/2917 2020-09-07 09:23:59 +02:00			`styleSrc: [`
			`"'self'",`
fix: helmet wap csp in quotes 2020-09-07 09:51:30 +02:00			`"'unsafe-inline'",`
fix: allow static assets from cdn.getunleash.io 2022-01-06 21:08:16 +01:00			`'cdn.getunleash.io',`
fix: lax helmet csp config for styles. Required to support react-selct, see https://github.com/JedWatson/react-select/issues/2917 2020-09-07 09:23:59 +02:00			`'fonts.googleapis.com',`
			`'fonts.gstatic.com',`
			`'data:',`
feat: Allow extra CSP domains (#1610) * feat: Allow extra CSP domains Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> * fix: eslint: * fix: allow partial csp domains * fix: add option and config type * fix: snapshot Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> 2022-05-31 11:32:15 +02:00			`...config.additionalCspAllowedDomains.styleSrc,`
			`],`
			`scriptSrc: [`
			`"'self'",`
			`'cdn.getunleash.io',`
			`...config.additionalCspAllowedDomains.scriptSrc,`
fix: lax helmet csp config for styles. Required to support react-selct, see https://github.com/JedWatson/react-select/issues/2917 2020-09-07 09:23:59 +02:00			`],`
fix: allow static assets from cdn.getunleash.io 2022-01-06 21:08:16 +01:00			`imgSrc: [`
			`"'self'",`
			`'data:',`
			`'cdn.getunleash.io',`
			`'gravatar.com',`
feat: Allow extra CSP domains (#1610) * feat: Allow extra CSP domains Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> * fix: eslint: * fix: allow partial csp domains * fix: add option and config type * fix: snapshot Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> 2022-05-31 11:32:15 +02:00			`...config.additionalCspAllowedDomains.imgSrc,`
fix: allow static assets from cdn.getunleash.io 2022-01-06 21:08:16 +01:00			`],`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`},`
			`},`
fix: make sure our CSP allow gravatar.com for images 2022-01-12 23:22:04 +01:00			`crossOriginEmbedderPolicy: false,`
fix: add optional helmet security headers Allow users to enable the helmet middleware to enable security headers by default. https://github.com/helmetjs/helmet 2020-09-01 21:19:46 +02:00			`});`
			`}`
			`return (req, res, next) => {`
			`next();`
			`};`
			`};`
fix: Stores as typescript and with interfaces. (#902) Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-08-12 15:04:37 +02:00
			`export default secureHeaders;`