diff --git a/src/server/index.tsx b/src/server/index.tsx index 458d7f03..91363ebb 100644 --- a/src/server/index.tsx +++ b/src/server/index.tsx @@ -10,7 +10,8 @@ import SecurityHandler from "./handlers/security-handler"; import ServiceWorkerHandler from "./handlers/service-worker-handler"; import ThemeHandler from "./handlers/theme-handler"; import ThemesListHandler from "./handlers/themes-list-handler"; -import { setCacheControl, setDefaultCsp } from "./middleware"; +import { setCacheControl } from "./middleware/set-cache-control"; +import { setDefaultCsp } from "./middleware/set-default-csp"; const server = express(); diff --git a/src/server/middleware.ts b/src/server/middleware/set-cache-control.ts similarity index 69% rename from src/server/middleware.ts rename to src/server/middleware/set-cache-control.ts index 0420e47e..616a3995 100644 --- a/src/server/middleware.ts +++ b/src/server/middleware/set-cache-control.ts @@ -1,20 +1,5 @@ import type { NextFunction, Request, Response } from "express"; -import { hasJwtCookie } from "./utils/has-jwt-cookie"; - -export function setDefaultCsp({ - res, - next, -}: { - res: Response; - next: NextFunction; -}) { - res.setHeader( - "Content-Security-Policy", - `default-src 'self'; manifest-src *; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'; frame-src *; media-src * data:` - ); - - next(); -} +import { hasJwtCookie } from "../utils/has-jwt-cookie"; // Set cache-control headers. If user is logged in, set `private` to prevent storing data in // shared caches (eg nginx) and leaking of private data. If user is not logged in, allow caching @@ -22,11 +7,15 @@ export function setDefaultCsp({ // interval is rather arbitrary and could be set higher (less server load) or lower (fresher data). // // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control -export function setCacheControl( - req: Request, - res: Response, - next: NextFunction -) { +export function setCacheControl({ + res, + req, + next, +}: { + res: Response; + req: Request; + next: NextFunction; +}) { if (process.env.NODE_ENV !== "production") { return next(); } diff --git a/src/server/middleware/set-default-csp.ts b/src/server/middleware/set-default-csp.ts new file mode 100644 index 00000000..691036eb --- /dev/null +++ b/src/server/middleware/set-default-csp.ts @@ -0,0 +1,16 @@ +import type { NextFunction, Response } from "express"; + +export function setDefaultCsp({ + res, + next, +}: { + res: Response; + next: NextFunction; +}) { + res.setHeader( + "Content-Security-Policy", + `default-src 'self'; manifest-src *; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'; frame-src *; media-src * data:` + ); + + next(); +}