diff --git a/app.js b/app.js index e6a623d..be32b84 100644 --- a/app.js +++ b/app.js @@ -16,7 +16,7 @@ const bodyParser = require("body-parser"); const helmet = require("helmet"); const cors = require("cors"); const path = require("path"); - +const csp_header_dict = require("./config/csp-headers"); //Passport config require("./config/passport-google")(passport); //passport is for authenticating only @@ -48,77 +48,17 @@ app.use( expressCspHeader({ directives: { "default-src": [ - SELF, - "*.google.com", - "https://*/", - "https://kit.fontawesome.com/", - "https://images.squarespace-cdn.com/", - "https://fonts.gstatic.com/", - "*.googleapis.com", - "kit.fontawesome.com", - "https://apis.google.com/js/", - "https://kit.fontawesome.com/*", - "*.google.com", - "https://kit.fontawesome.com/", - "https://images.squarespace-cdn.com/", - "https://fonts.gstatic.com/", - "*.googleapis.com", - "kit.fontawesome.com", - "https://apis.google.com/js/", - "data:", - "https://apis.google.com/js/api.js", - "apis.google.com", - "self", - + ...csp_header_dict.defaultSrc, SELF, INLINE, ], "script-src": [ + ...csp_header_dict.scriptSrc, SELF, - "*.google.com", - "https://kit.fontawesome.com/", - "https://images.squarespace-cdn.com/", - "https://fonts.gstatic.com/", - "*.googleapis.com", - "kit.fontawesome.com", - "https://apis.google.com/js/", - "https://kit.fontawesome.com/*", - "*.google.com", - "https://kit.fontawesome.com/", - "https://images.squarespace-cdn.com/", - "https://fonts.gstatic.com/", - "*.googleapis.com", - "kit.fontawesome.com", - "https://apis.google.com/js/", - "data:", - "https://apis.google.com/js/api.js", - "apis.google.com", - "self", - "data: *", INLINE, ], - "img-src": ["data:image/svg+xml", SELF, - "*.google.com", - "https://*/", - "https://kit.fontawesome.com/", - "https://images.squarespace-cdn.com/", - "https://fonts.gstatic.com/", - "*.googleapis.com", - "kit.fontawesome.com", - "https://apis.google.com/js/", - "https://kit.fontawesome.com/*", - "*.google.com", - "https://kit.fontawesome.com/", - "https://images.squarespace-cdn.com/", - "https://fonts.gstatic.com/", - "*.googleapis.com", - "kit.fontawesome.com", - "https://apis.google.com/js/", - "data:", - "https://apis.google.com/js/api.js", - "apis.google.com", - "self", - + "img-src": [ + ...csp_header_dict.imgSrc, SELF, INLINE, ], diff --git a/config/csp-headers.js b/config/csp-headers.js new file mode 100644 index 0000000..797ab39 --- /dev/null +++ b/config/csp-headers.js @@ -0,0 +1,67 @@ +module.exports = { + "defaultSrc": [ + "*.google.com", + "https://*/", + "https://kit.fontawesome.com/", + "https://images.squarespace-cdn.com/", + "https://fonts.gstatic.com/", + "*.googleapis.com", + "kit.fontawesome.com", + "https://apis.google.com/js/", + "https://kit.fontawesome.com/*", + "*.google.com", + "https://kit.fontawesome.com/", + "https://images.squarespace-cdn.com/", + "https://fonts.gstatic.com/", + "*.googleapis.com", + "kit.fontawesome.com", + "https://apis.google.com/js/", + "data:", + "https://apis.google.com/js/api.js", + "apis.google.com", + "self", + ], + "scriptSrc": ["*.google.com", + "https://kit.fontawesome.com/", + "https://images.squarespace-cdn.com/", + "https://fonts.gstatic.com/", + "*.googleapis.com", + "kit.fontawesome.com", + "https://apis.google.com/js/", + "https://kit.fontawesome.com/*", + "*.google.com", + "https://kit.fontawesome.com/", + "https://images.squarespace-cdn.com/", + "https://fonts.gstatic.com/", + "*.googleapis.com", + "kit.fontawesome.com", + "https://apis.google.com/js/", + "data:", + "https://apis.google.com/js/api.js", + "apis.google.com", + "self", + "data: *", + ], + "imgSrc": ["data:image/svg+xml", + "*.google.com", + "https://*/", + "https://kit.fontawesome.com/", + "https://images.squarespace-cdn.com/", + "https://fonts.gstatic.com/", + "*.googleapis.com", + "kit.fontawesome.com", + "https://apis.google.com/js/", + "https://kit.fontawesome.com/*", + "*.google.com", + "https://kit.fontawesome.com/", + "https://images.squarespace-cdn.com/", + "https://fonts.gstatic.com/", + "*.googleapis.com", + "kit.fontawesome.com", + "https://apis.google.com/js/", + "data:", + "https://apis.google.com/js/api.js", + "apis.google.com", + "self", + ], +} \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index 9919703..bfc722c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -433,6 +433,22 @@ "mimic-response": "^1.0.0" } }, + "cloudinary": { + "version": "1.23.0", + "resolved": "https://registry.npmjs.org/cloudinary/-/cloudinary-1.23.0.tgz", + "integrity": "sha512-akOxzroonvwWkuSVq7BI50nYpZPRXc5DbQIYETCVeKX9ZoToH2Gvc3MdUH63UtKiszuGYE51q2B+jQsJkBp2AQ==", + "requires": { + "cloudinary-core": "^2.10.2", + "core-js": "3.6.5", + "lodash": "^4.17.11", + "q": "^1.5.1" + } + }, + "cloudinary-core": { + "version": "2.11.3", + "resolved": "https://registry.npmjs.org/cloudinary-core/-/cloudinary-core-2.11.3.tgz", + "integrity": "sha512-ZRnpjSgvx+LbSf+aEz5NKzxDB4Z0436aY/0BSDa90kAHiwAyd84VyEi95I74SE80e15Ri9t5S2xtksTXpzk9Xw==" + }, "color-convert": { "version": "1.9.3", "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", @@ -514,6 +530,11 @@ "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz", "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw=" }, + "core-js": { + "version": "3.6.5", + "resolved": "https://registry.npmjs.org/core-js/-/core-js-3.6.5.tgz", + "integrity": "sha512-vZVEEwZoIsI+vPEuoF9Iqf5H7/M3eeQqWlQnYa8FSKKePuYTf5MWnxb5SDAzCa60b3JBRS5g9b+Dq7b1y/RCrA==" + }, "core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", @@ -1825,6 +1846,11 @@ "escape-goat": "^2.0.0" } }, + "q": { + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/q/-/q-1.5.1.tgz", + "integrity": "sha1-fjL3W0E4EpHQRhHxvxQQmsAGUdc=" + }, "qs": { "version": "6.7.0", "resolved": "https://registry.npmjs.org/qs/-/qs-6.7.0.tgz", diff --git a/package.json b/package.json index e80ca1e..e83e787 100644 --- a/package.json +++ b/package.json @@ -19,6 +19,7 @@ "dependencies": { "bcryptjs": "^2.4.3", "body-parser": "^1.19.0", + "cloudinary": "^1.23.0", "concurrently": "^5.3.0", "cors": "^2.8.5", "dotenv": "^8.2.0",