36 lines
860 B
JavaScript
36 lines
860 B
JavaScript
const fs = require('fs')
|
|
const YAML = require('yaml')
|
|
|
|
const helmet = require('helmet')
|
|
|
|
module.exports = (path) => {
|
|
let csppolicy
|
|
const zero = {
|
|
contentSecurityPolicy: false,
|
|
crossOriginEmbedderPolicy: false,
|
|
crossOriginOpenerPolicy: false,
|
|
crossOriginResourcePolicy: false,
|
|
originAgentCluster: false,
|
|
referrerPolicy: false,
|
|
strictTransportSecurity: false,
|
|
xContentTypeOptions: false,
|
|
dnsPrefetchControl: false,
|
|
frameguard: false,
|
|
permittedCrossDomainPolicies: false,
|
|
hidePoweredBy: false,
|
|
};
|
|
try {
|
|
csppolicy = fs.readFileSync(path, 'utf8')
|
|
} catch (e) {
|
|
csppolicy = 'contentSecurityPolicy:\n useDefaults: true\n';
|
|
}
|
|
const csp = YAML.parse(csppolicy)
|
|
|
|
// Mandatory
|
|
csp.xXssProtection = false
|
|
csp.xDownloadOptions = false
|
|
csp.expectCt = false
|
|
|
|
return helmet({...zero,...csp})
|
|
}
|