Express: CSP headers

a573c956 · Matija Obreza · 87686331 · a573c956
Commit a573c956 authored Sep 24, 2021 by Matija Obreza
--- a/workspaces/ui-express/server/server.ts
+++ b/workspaces/ui-express/server/server.ts
@@ -54,13 +54,6 @@ app.get('/en/*', (req, res) => {
  const redirectPath = oldPath.substr(3, oldPath.length);
  res.redirect(301, `${config.frontendPath}${redirectPath}`);
 });
-
-// Handle sitemap.xml and references files
-app.get('/sitemap*.xml', sitemap);
-// Enable compression
-app.use(compression());
-// robots.txt
-app.get('/robots.txt', robots);
 // Redirect to api
 app.use('/api', (req, res) => {
  const url = req.url;
@@ -73,6 +66,21 @@ app.use('/api', (req, res) => {
    res.redirect(307, `${config.apiUrl}/api${url}`);
  }
 });
+
+// Enable compression
+app.use(compression());
+
+// Add CSP headers
+app.use((req, res, next) => {
+  res.header('X-Frame-Options', 'DENY');
+  res.header('Content-Security-Policy', 'frame-src \'none\'; script-src \'self\' \'unsafe-inline\'; style-src \'self\' \'unsafe-inline\';');
+  next();
+});
+
+// Handle sitemap.xml and references files
+app.get('/sitemap*.xml', sitemap);
+// robots.txt
+app.get('/robots.txt', robots);
 // Proxy all requests starting with /proxy
 app.use('/proxy', httpProxy);