Add missing Content Security Policy (CSP)

caleb531 · Dec 25, 2021 · 5516f7d · 5516f7d · vercel · Dec 25, 2021
1 parent cda0409
commit 5516f7d
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/app/server/express-server.js b/app/server/express-server.js
@@ -14,7 +14,23 @@ if (process.env.NODE_ENV === 'production') {
   app.enable('trust proxy');
   app.use(expressEnforcesSSL());
 }
-app.use(helmet());
+app.use(helmet({
+  contentSecurityPolicy: {
+    useDefaults: true,
+    directives: {
+      /* eslint-disable quotes */
+      'default-src': ["'none'"],
+      'style-src': ["'self'"],
+      'img-src': ["'self'"],
+      'font-src': ["'self'", 'https://*.gstatic.com', 'data:'],
+      'script-src': ["'self'", "'unsafe-inline'", 'https://storage.googleapis.com', 'https://www.google-analytics.com'],
+      'child-src': ["'self'"],
+      'connect-src': ["'self'"],
+      'manifest-src': ["'self'"]
+      /* eslint-enable quotes */
+    }
+  }
+}));
 
 // Serve assets using gzip compression
 app.use(compression());