Browse Source

Add more security headers

master
Peter H. Jin 2 months ago
parent
commit
af93e75178
  1. 19
      index.js
  2. 8
      main/webserver.js

19
index.js

@ -14,10 +14,23 @@ function logRequest(req, res, next) {
console.log(`${req.ip} (${cipherName}) [${new Date().toISOString()}] - ${req.headers['host']}[${s.localAddress}] "${req.method} ${req.url} HTTP/${req.httpVersion}" "${req.headers['referer'] || "-"}" "${req.headers['user-agent'] || "-"}"`);
if (next) next();
}
function securityHeadersNoHSTS(req, res, next) {
res.set("x-frame-options", "DENY");
res.set("content-security-policy", "default-src 'self'; style-src 'unsafe-inline'");
res.set("x-xss-protection", "1; mode=block");
res.set("x-content-type-options", "nosniff");
res.set("referrer-policy", "strict-origin-when-cross-origin");
next();
}
function securityHeaders(req, res, next) {
res.set("strict-transport-security", "max-age=31536000");
securityHeadersNoHSTS(req, res, next);
}
try {
let ipv6BibleApp_b = express();
let ipv6BibleApp_s = require("./bible/webserver.js");
ipv6BibleApp_b.use('/', logRequest);
ipv6BibleApp_b.use('/', securityHeadersNoHSTS);
ipv6BibleApp_b.use('/', (req, res, next) => {
res.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
next();
@ -31,6 +44,7 @@ try {
}
var mainApp = express();
mainApp.use('/', logRequest);
mainApp.use('/', securityHeaders);
mainAppF.mountExpress(mainApp, 'newVersion');
mainApp.set('etag', false);
// mainApp.keepAliveTimeout = 30000;
@ -50,10 +64,7 @@ config.initServers({
make_static: function(path) {
let app = express();
app.use('/', logRequest);
app.use('/', (req, res, next) => {
res.set("strict-transport-security", "max-age=31536000");
next();
});
app.use('/', securityHeaders);
app.use('/', express.static(path));
// app.keepAliveTimeout = 30000;
return app;

8
main/webserver.js

@ -2,10 +2,10 @@ var i6tlib = require("./page.js");
var staticLib = require("./static.js");
var ip = require("ip");
function mountExpress(app, isTesting) {
app.use("/", (req, res, next) => {
res.set("Strict-Transport-Security", "max-age=31536000");
next();
});
// app.use("/", (req, res, next) => {
// res.set("Strict-Transport-Security", "max-age=31536000");
// next();
// });
app.get("/", function(req, res) {
let l_ip = isTesting === 'newVersion' ? String(req.socket.localAddress) : String(req.get("X-Ipv6things-LocalIP") || (isTesting ? req.query.localIP : "unknown"));
let r_ip = isTesting === 'newVersion' ? String(req.ip) : String(req.get("X-Ipv6things-RemoteIP") || (isTesting ? "2001:db8::1" : "unknown"));

Loading…
Cancel
Save