From ea97cd7c14c82e7e1009cc12baf5369e63459d7b Mon Sep 17 00:00:00 2001 From: syuilo Date: Tue, 24 Aug 2021 13:08:20 +0900 Subject: [PATCH] fix(server): use csp to imporve security --- CHANGELOG.md | 1 + src/server/file/index.ts | 4 ++++ src/server/proxy/index.ts | 4 ++++ 3 files changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a3988d02..5e4fbbf36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ - クライアントのデザインの調整 ### Bugfixes +- セキュリティの向上 ## 12.89.0 (2021/08/21) diff --git a/src/server/file/index.ts b/src/server/file/index.ts index 9b5d8f726..a455acd1c 100644 --- a/src/server/file/index.ts +++ b/src/server/file/index.ts @@ -17,6 +17,10 @@ const _dirname = dirname(_filename); // Init app const app = new Koa(); app.use(cors()); +app.use(async (ctx, next) => { + ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`); + await next(); +}); // Init router const router = new Router(); diff --git a/src/server/proxy/index.ts b/src/server/proxy/index.ts index 9ef198d31..b8993f19f 100644 --- a/src/server/proxy/index.ts +++ b/src/server/proxy/index.ts @@ -10,6 +10,10 @@ import { proxyMedia } from './proxy-media'; // Init app const app = new Koa(); app.use(cors()); +app.use(async (ctx, next) => { + ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`); + await next(); +}); // Init router const router = new Router();