Skip to content
Permalink
Browse files Browse the repository at this point in the history
Add Content-Security-Policy header by default (#10776)
  • Loading branch information
rijkvanzanten committed Dec 30, 2021
1 parent 9ef4019 commit ec86d54
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 14 deletions.
1 change: 1 addition & 0 deletions api/package.json
Expand Up @@ -114,6 +114,7 @@
"fs-extra": "^10.0.0",
"graphql": "^15.5.0",
"graphql-compose": "^9.0.1",
"helmet": "^4.6.0",
"inquirer": "^8.1.1",
"joi": "^17.3.0",
"js-yaml": "^4.1.0",
Expand Down
4 changes: 4 additions & 0 deletions api/src/app.ts
Expand Up @@ -3,6 +3,7 @@ import express, { Request, Response, RequestHandler } from 'express';
import fse from 'fs-extra';
import path from 'path';
import qs from 'qs';
import helmet from 'helmet';

import activityRouter from './controllers/activity';
import assetsRouter from './controllers/assets';
Expand Down Expand Up @@ -53,6 +54,7 @@ import { register as registerWebhooks } from './webhooks';
import { flushCaches } from './cache';
import { registerAuthProviders } from './auth';
import { Url } from './utils/url';
import { getConfigFromEnv } from './utils/get-config-from-env';

export default async function createApp(): Promise<express.Application> {
validateEnv(['KEY', 'SECRET']);
Expand Down Expand Up @@ -89,6 +91,8 @@ export default async function createApp(): Promise<express.Application> {
app.set('trust proxy', env.IP_TRUST_PROXY);
app.set('query parser', (str: string) => qs.parse(str, { depth: 10 }));

app.use(helmet.contentSecurityPolicy(getConfigFromEnv('CONTENT_SECURITY_POLICY_')));

await emitter.emitInit('app.before', { app });

await emitter.emitInit('middlewares.before', { app });
Expand Down
29 changes: 15 additions & 14 deletions docs/configuration/config-options.md
Expand Up @@ -227,20 +227,21 @@ All the `DB_POOL_` prefixed options are passed to [`tarn.js`](https://github.com

## Security

| Variable | Description | Default Value |
| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `KEY` | Unique identifier for the project. | -- |
| `SECRET` | Secret string for the project. | -- |
| `ACCESS_TOKEN_TTL` | The duration that the access token is valid. | `15m` |
| `REFRESH_TOKEN_TTL` | The duration that the refresh token is valid, and also how long users stay logged-in to the App. | `7d` |
| `REFRESH_TOKEN_COOKIE_DOMAIN` | Which domain to use for the refresh cookie. Useful for development mode. | -- |
| `REFRESH_TOKEN_COOKIE_SECURE` | Whether or not to use a secure cookie for the refresh token in cookie mode. | `false` |
| `REFRESH_TOKEN_COOKIE_SAME_SITE` | Value for `sameSite` in the refresh token cookie when in cookie mode. | `lax` |
| `REFRESH_TOKEN_COOKIE_NAME` | Name of refresh token cookie . | `directus_refresh_token` |
| `PASSWORD_RESET_URL_ALLOW_LIST` | List of URLs that can be used [as `reset_url` in /password/request](/reference/authentication/#request-password-reset) | -- |
| `USER_INVITE_URL_ALLOW_LIST` | List of URLs that can be used [as `invite_url` in /users/invite](/reference/system/users/#invite-a-new-user) | -- |
| `IP_TRUST_PROXY` | Settings for [express' trust proxy setting](https://expressjs.com/en/guide/behind-proxies.html) | true |
| `IP_CUSTOM_HEADER` | What custom request header to use for the IP address | false |
| Variable | Description | Default Value |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `KEY` | Unique identifier for the project. | -- |
| `SECRET` | Secret string for the project. | -- |
| `ACCESS_TOKEN_TTL` | The duration that the access token is valid. | `15m` |
| `REFRESH_TOKEN_TTL` | The duration that the refresh token is valid, and also how long users stay logged-in to the App. | `7d` |
| `REFRESH_TOKEN_COOKIE_DOMAIN` | Which domain to use for the refresh cookie. Useful for development mode. | -- |
| `REFRESH_TOKEN_COOKIE_SECURE` | Whether or not to use a secure cookie for the refresh token in cookie mode. | `false` |
| `REFRESH_TOKEN_COOKIE_SAME_SITE` | Value for `sameSite` in the refresh token cookie when in cookie mode. | `lax` |
| `REFRESH_TOKEN_COOKIE_NAME` | Name of refresh token cookie . | `directus_refresh_token` |
| `PASSWORD_RESET_URL_ALLOW_LIST` | List of URLs that can be used [as `reset_url` in /password/request](/reference/authentication/#request-password-reset) | -- |
| `USER_INVITE_URL_ALLOW_LIST` | List of URLs that can be used [as `invite_url` in /users/invite](/reference/system/users/#invite-a-new-user) | -- |
| `IP_TRUST_PROXY` | Settings for [express' trust proxy setting](https://expressjs.com/en/guide/behind-proxies.html) | true |
| `IP_CUSTOM_HEADER` | What custom request header to use for the IP address | false |
| `CONTENT_SECURITY_POLICY` | Custom options for the Content-Security-Policy header. See [helmet's documentation](https://helmetjs.github.io) for more information. | -- |

::: tip Cookie Strictness

Expand Down
15 changes: 15 additions & 0 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit ec86d54

Please sign in to comment.