mirror of
https://github.com/sudoxnym/habitica.git
synced 2026-04-14 19:56:23 +00:00
security: add default security headers provided by helmet.js (#11358)
This commit is contained in:
Matteo Pagliazzi
GitHub
parent
bbf45f263a
commit
d93d295d9f
3 changed files with 139 additions and 0 deletions
135
package-lock.json
generated
135
package-lock.json
generated
|
|
@ -5272,6 +5272,11 @@
|
|||
"vue-functional-data-merge": "^3.1.0"
|
||||
}
|
||||
},
|
||||
"bowser": {
|
||||
"version": "2.5.4",
|
||||
"resolved": "https://registry.npmjs.org/bowser/-/bowser-2.5.4.tgz",
|
||||
"integrity": "sha512-74GGwfc2nzYD19JCiA0RwCxdq7IY5jHeEaSrrgm/5kusEuK+7UK0qDG3gyzN47c4ViNyO4osaKtZE+aSV6nlpQ=="
|
||||
},
|
||||
"boxen": {
|
||||
"version": "1.3.0",
|
||||
"resolved": "https://registry.npmjs.org/boxen/-/boxen-1.3.0.tgz",
|
||||
|
|
@ -5623,6 +5628,11 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
"camelize": {
|
||||
"version": "1.0.0",
|
||||
"resolved": "https://registry.npmjs.org/camelize/-/camelize-1.0.0.tgz",
|
||||
"integrity": "sha1-FkpUg+Yw+kMh5a8HAg5TGDGyYJs="
|
||||
},
|
||||
"caniuse-api": {
|
||||
"version": "1.6.1",
|
||||
"resolved": "https://registry.npmjs.org/caniuse-api/-/caniuse-api-1.6.1.tgz",
|
||||
|
|
@ -6982,6 +6992,11 @@
|
|||
"safe-buffer": "5.1.2"
|
||||
}
|
||||
},
|
||||
"content-security-policy-builder": {
|
||||
"version": "2.1.0",
|
||||
"resolved": "https://registry.npmjs.org/content-security-policy-builder/-/content-security-policy-builder-2.1.0.tgz",
|
||||
"integrity": "sha512-/MtLWhJVvJNkA9dVLAp6fg9LxD2gfI6R2Fi1hPmfjYXSahJJzcfvoeDOxSyp4NvxMuwWv3WMssE9o31DoULHrQ=="
|
||||
},
|
||||
"content-type": {
|
||||
"version": "1.0.4",
|
||||
"resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz",
|
||||
|
|
@ -7582,6 +7597,11 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
"dasherize": {
|
||||
"version": "2.0.0",
|
||||
"resolved": "https://registry.npmjs.org/dasherize/-/dasherize-2.0.0.tgz",
|
||||
"integrity": "sha1-bYCcnNDPe7iVLYD8hPoT1H3bEwg="
|
||||
},
|
||||
"data-store": {
|
||||
"version": "0.16.1",
|
||||
"resolved": "https://registry.npmjs.org/data-store/-/data-store-0.16.1.tgz",
|
||||
|
|
@ -8389,6 +8409,11 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
"dns-prefetch-control": {
|
||||
"version": "0.2.0",
|
||||
"resolved": "https://registry.npmjs.org/dns-prefetch-control/-/dns-prefetch-control-0.2.0.tgz",
|
||||
"integrity": "sha512-hvSnros73+qyZXhHFjx2CMLwoj3Fe7eR9EJsFsqmcI1bB2OBWL/+0YzaEaKssCHnj/6crawNnUyw74Gm2EKe+Q=="
|
||||
},
|
||||
"doctrine": {
|
||||
"version": "2.1.0",
|
||||
"resolved": "https://registry.npmjs.org/doctrine/-/doctrine-2.1.0.tgz",
|
||||
|
|
@ -8482,6 +8507,11 @@
|
|||
"domelementtype": "1"
|
||||
}
|
||||
},
|
||||
"dont-sniff-mimetype": {
|
||||
"version": "1.1.0",
|
||||
"resolved": "https://registry.npmjs.org/dont-sniff-mimetype/-/dont-sniff-mimetype-1.1.0.tgz",
|
||||
"integrity": "sha512-ZjI4zqTaxveH2/tTlzS1wFp+7ncxNZaIEWYg3lzZRHkKf5zPT/MnEG6WL0BhHMJUabkh8GeU5NL5j+rEUCb7Ug=="
|
||||
},
|
||||
"dot-prop": {
|
||||
"version": "4.2.0",
|
||||
"resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz",
|
||||
|
|
@ -10059,6 +10089,11 @@
|
|||
"homedir-polyfill": "^1.0.1"
|
||||
}
|
||||
},
|
||||
"expect-ct": {
|
||||
"version": "0.2.0",
|
||||
"resolved": "https://registry.npmjs.org/expect-ct/-/expect-ct-0.2.0.tgz",
|
||||
"integrity": "sha512-6SK3MG/Bbhm8MsgyJAylg+ucIOU71/FzyFalcfu5nY19dH8y/z0tBJU0wrNBXD4B27EoQtqPF/9wqH0iYAd04g=="
|
||||
},
|
||||
"expect.js": {
|
||||
"version": "0.3.1",
|
||||
"resolved": "https://registry.npmjs.org/expect.js/-/expect.js-0.3.1.tgz",
|
||||
|
|
@ -10475,6 +10510,11 @@
|
|||
"pend": "~1.2.0"
|
||||
}
|
||||
},
|
||||
"feature-policy": {
|
||||
"version": "0.3.0",
|
||||
"resolved": "https://registry.npmjs.org/feature-policy/-/feature-policy-0.3.0.tgz",
|
||||
"integrity": "sha512-ZtijOTFN7TzCujt1fnNhfWPFPSHeZkesff9AXZj+UEjYBynWNUIYpC87Ve4wHzyexQsImicLu7WsC2LHq7/xrQ=="
|
||||
},
|
||||
"fecha": {
|
||||
"version": "2.3.3",
|
||||
"resolved": "https://registry.npmjs.org/fecha/-/fecha-2.3.3.tgz",
|
||||
|
|
@ -10974,6 +11014,11 @@
|
|||
"map-cache": "^0.2.2"
|
||||
}
|
||||
},
|
||||
"frameguard": {
|
||||
"version": "3.1.0",
|
||||
"resolved": "https://registry.npmjs.org/frameguard/-/frameguard-3.1.0.tgz",
|
||||
"integrity": "sha512-TxgSKM+7LTA6sidjOiSZK9wxY0ffMPY3Wta//MqwmX0nZuEHc8QrkV8Fh3ZhMJeiH+Uyh/tcaarImRy8u77O7g=="
|
||||
},
|
||||
"fresh": {
|
||||
"version": "0.5.2",
|
||||
"resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
|
||||
|
|
@ -12754,6 +12799,51 @@
|
|||
"resolved": "https://registry.npmjs.org/hellojs/-/hellojs-1.18.1.tgz",
|
||||
"integrity": "sha512-T673GW3RSuM4xzYfJpp/wNPDbUG9FlNSNkQn0thII8DOpl3NphcmtmNrHrmv8hyk1fosJHkgzDfbcpJvmeq5Gw=="
|
||||
},
|
||||
"helmet": {
|
||||
"version": "3.21.0",
|
||||
"resolved": "https://registry.npmjs.org/helmet/-/helmet-3.21.0.tgz",
|
||||
"integrity": "sha512-TS3GryQMPR7n/heNnGC0Cl3Ess30g8C6EtqZyylf+Y2/kF4lM8JinOR90rzIICsw4ymWTvji4OhDmqsqxkLrcg==",
|
||||
"requires": {
|
||||
"depd": "2.0.0",
|
||||
"dns-prefetch-control": "0.2.0",
|
||||
"dont-sniff-mimetype": "1.1.0",
|
||||
"expect-ct": "0.2.0",
|
||||
"feature-policy": "0.3.0",
|
||||
"frameguard": "3.1.0",
|
||||
"helmet-crossdomain": "0.4.0",
|
||||
"helmet-csp": "2.9.1",
|
||||
"hide-powered-by": "1.1.0",
|
||||
"hpkp": "2.0.0",
|
||||
"hsts": "2.2.0",
|
||||
"ienoopen": "1.1.0",
|
||||
"nocache": "2.1.0",
|
||||
"referrer-policy": "1.2.0",
|
||||
"x-xss-protection": "1.3.0"
|
||||
},
|
||||
"dependencies": {
|
||||
"depd": {
|
||||
"version": "2.0.0",
|
||||
"resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
|
||||
"integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw=="
|
||||
}
|
||||
}
|
||||
},
|
||||
"helmet-crossdomain": {
|
||||
"version": "0.4.0",
|
||||
"resolved": "https://registry.npmjs.org/helmet-crossdomain/-/helmet-crossdomain-0.4.0.tgz",
|
||||
"integrity": "sha512-AB4DTykRw3HCOxovD1nPR16hllrVImeFp5VBV9/twj66lJ2nU75DP8FPL0/Jp4jj79JhTfG+pFI2MD02kWJ+fA=="
|
||||
},
|
||||
"helmet-csp": {
|
||||
"version": "2.9.1",
|
||||
"resolved": "https://registry.npmjs.org/helmet-csp/-/helmet-csp-2.9.1.tgz",
|
||||
"integrity": "sha512-HgdXSJ6AVyXiy5ohVGpK6L7DhjI9KVdKVB1xRoixxYKsFXFwoVqtLKgDnfe3u8FGGKf9Ml9k//C9rnncIIAmyA==",
|
||||
"requires": {
|
||||
"bowser": "2.5.4",
|
||||
"camelize": "1.0.0",
|
||||
"content-security-policy-builder": "2.1.0",
|
||||
"dasherize": "2.0.0"
|
||||
}
|
||||
},
|
||||
"helper-cache": {
|
||||
"version": "0.7.2",
|
||||
"resolved": "https://registry.npmjs.org/helper-cache/-/helper-cache-0.7.2.tgz",
|
||||
|
|
@ -12784,6 +12874,11 @@
|
|||
"resolved": "https://registry.npmjs.org/hex2dec/-/hex2dec-1.1.2.tgz",
|
||||
"integrity": "sha512-Yu+q/XWr2fFQ11tHxPq4p4EiNkb2y+lAacJNhAdRXVfRIcDH6gi7htWFnnlIzvqHMHoWeIsfXlNAjZInpAOJDA=="
|
||||
},
|
||||
"hide-powered-by": {
|
||||
"version": "1.1.0",
|
||||
"resolved": "https://registry.npmjs.org/hide-powered-by/-/hide-powered-by-1.1.0.tgz",
|
||||
"integrity": "sha512-Io1zA2yOA1YJslkr+AJlWSf2yWFkKjvkcL9Ni1XSUqnGLr/qRQe2UI3Cn/J9MsJht7yEVCe0SscY1HgVMujbgg=="
|
||||
},
|
||||
"hmac-drbg": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz",
|
||||
|
|
@ -12821,6 +12916,26 @@
|
|||
"resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.4.tgz",
|
||||
"integrity": "sha512-pzXIvANXEFrc5oFFXRMkbLPQ2rXRoDERwDLyrcUxGhaZhgP54BBSl9Oheh7Vv0T090cszWBxPjkQQ5Sq1PbBRQ=="
|
||||
},
|
||||
"hpkp": {
|
||||
"version": "2.0.0",
|
||||
"resolved": "https://registry.npmjs.org/hpkp/-/hpkp-2.0.0.tgz",
|
||||
"integrity": "sha1-EOFCJk52IVpdMMROxD3mTe5tFnI="
|
||||
},
|
||||
"hsts": {
|
||||
"version": "2.2.0",
|
||||
"resolved": "https://registry.npmjs.org/hsts/-/hsts-2.2.0.tgz",
|
||||
"integrity": "sha512-ToaTnQ2TbJkochoVcdXYm4HOCliNozlviNsg+X2XQLQvZNI/kCHR9rZxVYpJB3UPcHz80PgxRyWQ7PdU1r+VBQ==",
|
||||
"requires": {
|
||||
"depd": "2.0.0"
|
||||
},
|
||||
"dependencies": {
|
||||
"depd": {
|
||||
"version": "2.0.0",
|
||||
"resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
|
||||
"integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw=="
|
||||
}
|
||||
}
|
||||
},
|
||||
"html-comment-regex": {
|
||||
"version": "1.1.2",
|
||||
"resolved": "https://registry.npmjs.org/html-comment-regex/-/html-comment-regex-1.1.2.tgz",
|
||||
|
|
@ -13133,6 +13248,11 @@
|
|||
"resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.1.13.tgz",
|
||||
"integrity": "sha512-4vf7I2LYV/HaWerSo3XmlMkp5eZ83i+/CDluXi/IGTs/O1sejBNhTtnxzmRZfvOUqj7lZjqHkeTvpgSFDlWZTg=="
|
||||
},
|
||||
"ienoopen": {
|
||||
"version": "1.1.0",
|
||||
"resolved": "https://registry.npmjs.org/ienoopen/-/ienoopen-1.1.0.tgz",
|
||||
"integrity": "sha512-MFs36e/ca6ohEKtinTJ5VvAJ6oDRAYFdYXweUnGY9L9vcoqFOU4n2ZhmJ0C4z/cwGZ3YIQRSB3XZ1+ghZkY5NQ=="
|
||||
},
|
||||
"ignore": {
|
||||
"version": "5.1.4",
|
||||
"resolved": "https://registry.npmjs.org/ignore/-/ignore-5.1.4.tgz",
|
||||
|
|
@ -17521,6 +17641,11 @@
|
|||
"lower-case": "^1.1.1"
|
||||
}
|
||||
},
|
||||
"nocache": {
|
||||
"version": "2.1.0",
|
||||
"resolved": "https://registry.npmjs.org/nocache/-/nocache-2.1.0.tgz",
|
||||
"integrity": "sha512-0L9FvHG3nfnnmaEQPjT9xhfN4ISk0A8/2j4M37Np4mcDesJjHgEUfgPhdCyZuFI954tjokaIj/A3NdpFNdEh4Q=="
|
||||
},
|
||||
"node-bitmap": {
|
||||
"version": "0.0.1",
|
||||
"resolved": "https://registry.npmjs.org/node-bitmap/-/node-bitmap-0.0.1.tgz",
|
||||
|
|
@ -22406,6 +22531,11 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
"referrer-policy": {
|
||||
"version": "1.2.0",
|
||||
"resolved": "https://registry.npmjs.org/referrer-policy/-/referrer-policy-1.2.0.tgz",
|
||||
"integrity": "sha512-LgQJIuS6nAy1Jd88DCQRemyE3mS+ispwlqMk3b0yjZ257fI1v9c+/p6SD5gP5FGyXUIgrNOAfmyioHwZtYv2VA=="
|
||||
},
|
||||
"regenerate": {
|
||||
"version": "1.4.0",
|
||||
"resolved": "https://registry.npmjs.org/regenerate/-/regenerate-1.4.0.tgz",
|
||||
|
|
@ -27591,6 +27721,11 @@
|
|||
"ultron": "1.0.x"
|
||||
}
|
||||
},
|
||||
"x-xss-protection": {
|
||||
"version": "1.3.0",
|
||||
"resolved": "https://registry.npmjs.org/x-xss-protection/-/x-xss-protection-1.3.0.tgz",
|
||||
"integrity": "sha512-kpyBI9TlVipZO4diReZMAHWtS0MMa/7Kgx8hwG/EuZLiA6sg4Ah/4TRdASHhRRN3boobzcYgFRUFSgHRge6Qhg=="
|
||||
},
|
||||
"xdg-basedir": {
|
||||
"version": "3.0.0",
|
||||
"resolved": "https://registry.npmjs.org/xdg-basedir/-/xdg-basedir-3.0.0.tgz",
|
||||
|
|
|
|||
|
|
@ -53,6 +53,7 @@
|
|||
"gulp.spritesmith": "^6.9.0",
|
||||
"habitica-markdown": "^1.3.0",
|
||||
"hellojs": "^1.18.1",
|
||||
"helmet": "^3.21.0",
|
||||
"html-webpack-plugin": "^3.2.0",
|
||||
"image-size": "^0.8.0",
|
||||
"in-app-purchase": "^1.11.3",
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ import {
|
|||
attachTranslateFunction,
|
||||
} from './language';
|
||||
import basicAuth from 'express-basic-auth';
|
||||
import helmet from 'helmet';
|
||||
|
||||
const IS_PROD = nconf.get('IS_PROD');
|
||||
const DISABLE_LOGGING = nconf.get('DISABLE_REQUEST_LOGGING') === 'true';
|
||||
|
|
@ -44,6 +45,8 @@ module.exports = function attachMiddlewares (app, server) {
|
|||
|
||||
if (!IS_PROD && !DISABLE_LOGGING) app.use(morgan('dev'));
|
||||
|
||||
app.use(helmet()); // See https://helmetjs.github.io/ for the list of headers enabled by default
|
||||
|
||||
// add res.respond and res.t
|
||||
app.use(responseHandler);
|
||||
app.use(attachTranslateFunction);
|
||||
|
|
|
|||
Loading…
Reference in a new issue