Mirror/filesafe
1
0
Fork 0
mirror of https://github.com/BobbyWibowo/lolisafe.git synced 2025-01-31 07:11:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: apply access-control-allow-origin globally

Browse Source 
instead of only on some arbitrary routes

configurable via config, please check sample, disabled by default

i still recommend configuring from your own http server (nginx, etc.),
if you want to have a more complex per-routes headers
This commit is contained in:
Bobby 2022-05-02 13:58:04 +07:00
parent c89de676db
commit 595dd81455
No known key found for this signature in database
GPG Key ID: 941839794CBF5A09
2 changed files with 39 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
config.sample.js
View File

@ -138,14 +138,18 @@ module.exports = {
/* /*
Helmet security headers. Helmet security headers.
https://github.com/helmetjs/helmet/tree/v5.0.2#how-it-works https://github.com/helmetjs/helmet/tree/v5.0.2#how-it-works
These headers will be applied to ALL resources, including API endpoints,
and files if you serve them with node.
If you need to disable some of the headers at certain routes, it's recommended
to instead use own http server (nginx, etc.) in front of lolisafe and configure from there.
NOTE: You may set "helmet" option as an empty object {} to disable Helmet entirely.
Setting it as any falsy value will instead apply some default configurations.
*/ */
helmet: { helmet: {
contentSecurityPolicy: false, contentSecurityPolicy: false,
/* // Cross-Origin-* headers were enabled by default since Helmet v5.0.0
Cross-Origin-* headers were enabled by default since Helmet v5.0.0
However, for installations that use own http server for files (nginx, etc.),
these headers also need to be configured in there.
*/
crossOriginEmbedderPolicy: false, crossOriginEmbedderPolicy: false,
crossOriginOpenerPolicy: false, crossOriginOpenerPolicy: false,
crossOriginResourcePolicy: false, crossOriginResourcePolicy: false,
@ -161,6 +165,21 @@ module.exports = {
originAgentCluster: false originAgentCluster: false
}, },
/*
Access-Control-Allow-Origin
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
These headers will be applied to ALL resources, including API endpoints,
and files if you serve them with node.
If set to true, it will be set as wildcard (*).
If set to any falsy value, it will be not set altogether.
Otherwise if any string value, it will be set as-is.
Whether to use this in conjunction with Cross-Origin-* headers depends on your needs.
FAQ: https://resourcepolicy.fyi/#acao
*/
accessControlAllowOrigin: false,
/* /*
Trust proxy. Trust proxy.
Enable this if you are using proxy such as Cloudflare or Incapsula, Enable this if you are using proxy such as Cloudflare or Incapsula,

22
lolisafe.js
View File

@ -77,6 +77,20 @@ if (config.helmet instanceof Object) {
safe.use(helmet(defaults)) safe.use(helmet(defaults))
} }
// Access-Control-Allow-Origin
if (config.accessControlAllowOrigin) {
if (config.accessControlAllowOrigin === true) {
config.accessControlAllowOrigin = '*'
}
safe.use((req, res, next) => {
res.set('Access-Control-Allow-Origin', config.accessControlAllowOrigin)
if (config.accessControlAllowOrigin !== '*') {
res.vary('Origin')
}
next()
})
}
if (config.trustProxy) { if (config.trustProxy) {
safe.set('trust proxy', 1) safe.set('trust proxy', 1)
} }
@ -105,9 +119,7 @@ safe.use(bodyParser.urlencoded({ extended: true }))
safe.use(bodyParser.json()) safe.use(bodyParser.json())
const cdnPages = [...config.pages] const cdnPages = [...config.pages]
let setHeaders = res => { let setHeaders
res.set('Access-Control-Allow-Origin', '*')
}
const contentTypes = config.overrideContentTypes && Object.keys(config.overrideContentTypes) const contentTypes = config.overrideContentTypes && Object.keys(config.overrideContentTypes)
const overrideContentTypes = (res, path) => { const overrideContentTypes = (res, path) => {
@ -187,7 +199,6 @@ if (config.cacheControl) {
if (config.serveFilesWithNode) { if (config.serveFilesWithNode) {
initServeStaticUploads({ initServeStaticUploads({
setHeaders: (res, path) => { setHeaders: (res, path) => {
res.set('Access-Control-Allow-Origin', '*')
// Override Content-Type if necessary // Override Content-Type if necessary
if (contentTypes && contentTypes.length) { if (contentTypes && contentTypes.length) {
overrideContentTypes(res, path) overrideContentTypes(res, path)
@ -205,13 +216,11 @@ if (config.cacheControl) {
// This requires the assets to use version in their query string, // This requires the assets to use version in their query string,
// as they will be cached by clients for a very long time. // as they will be cached by clients for a very long time.
setHeaders = res => { setHeaders = res => {
res.set('Access-Control-Allow-Origin', '*')
res.set('Cache-Control', cacheControls.static) res.set('Cache-Control', cacheControls.static)
} }
// Consider album ZIPs static as well, since they use version in their query string // Consider album ZIPs static as well, since they use version in their query string
safe.use(['/api/album/zip'], (req, res, next) => { safe.use(['/api/album/zip'], (req, res, next) => {
res.set('Access-Control-Allow-Origin', '*')
const versionString = parseInt(req.query.v) const versionString = parseInt(req.query.v)
if (versionString > 0) { if (versionString > 0) {
res.set('Cache-Control', cacheControls.static) res.set('Cache-Control', cacheControls.static)
@ -223,7 +232,6 @@ if (config.cacheControl) {
} else if (config.serveFilesWithNode) { } else if (config.serveFilesWithNode) {
initServeStaticUploads({ initServeStaticUploads({
setHeaders: (res, path) => { setHeaders: (res, path) => {
res.set('Access-Control-Allow-Origin', '*')
// Override Content-Type if necessary // Override Content-Type if necessary
if (contentTypes && contentTypes.length) { if (contentTypes && contentTypes.length) {
overrideContentTypes(res, path) overrideContentTypes(res, path)