self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-02-01 19:15:01 +02:00
Code Issues Releases Activity

Server: Security: Implement clickjacking defense

Browse Source
This commit is contained in:
Laurent Cozic 2021-09-23 15:56:40 +01:00
parent f144daed96
commit e3fd34e5d6
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/server/src/app.ts
View File

@ -18,6 +18,7 @@ import { initializeJoplinUtils } from './utils/joplinUtils';
import startServices from './utils/startServices'; import startServices from './utils/startServices';
import { credentialFile } from './utils/testing/testUtils'; import { credentialFile } from './utils/testing/testUtils';
import apiVersionHandler from './middleware/apiVersionHandler'; import apiVersionHandler from './middleware/apiVersionHandler';
import clickJackingHandler from './middleware/clickJackingHandler';
const cors = require('@koa/cors'); const cors = require('@koa/cors');
const nodeEnvFile = require('node-env-file'); const nodeEnvFile = require('node-env-file');
@ -171,6 +172,7 @@ async function main() {
app.use(apiVersionHandler); app.use(apiVersionHandler);
app.use(ownerHandler); app.use(ownerHandler);
app.use(notificationHandler); app.use(notificationHandler);
app.use(clickJackingHandler);
app.use(routeHandler); app.use(routeHandler);
await initConfig(env, envVariables); await initConfig(env, envVariables);

8
packages/server/src/middleware/clickJackingHandler.ts Normal file
View File

@ -0,0 +1,8 @@
import { AppContext, KoaNext } from '../utils/types';
export default async function(ctx: AppContext, next: KoaNext): Promise<void> {
// https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
ctx.response.set('Content-Security-Policy', 'frame-ancestors \'none\'');
ctx.response.set('X-Frame-Options', 'DENY');
return next();
}