start working on integrating helmet plugin
Michael Q Larson
parent
e174972cbb
commit
21738654e9
31
app.js
31
app.js
|
|
@ -9,9 +9,9 @@ var session = require('express-session');
|
||||||
var bodyParser = require('body-parser');
|
var bodyParser = require('body-parser');
|
||||||
var logger = require('morgan');
|
var logger = require('morgan');
|
||||||
var errorHandler = require('errorhandler');
|
var errorHandler = require('errorhandler');
|
||||||
var csrf = require('lusca').csrf();
|
|
||||||
var methodOverride = require('method-override');
|
var methodOverride = require('method-override');
|
||||||
var bodyParser = require('body-parser');
|
var bodyParser = require('body-parser');
|
||||||
|
var helmet = require('helmet');
|
||||||
|
|
||||||
var _ = require('lodash');
|
var _ = require('lodash');
|
||||||
var MongoStore = require('connect-mongo')(session);
|
var MongoStore = require('connect-mongo')(session);
|
||||||
|
|
@ -55,12 +55,6 @@ mongoose.connection.on('error', function() {
|
||||||
console.error('MongoDB Connection Error. Please make sure that MongoDB is running.');
|
console.error('MongoDB Connection Error. Please make sure that MongoDB is running.');
|
||||||
});
|
});
|
||||||
|
|
||||||
/**
|
|
||||||
* CSRF whitelist.
|
|
||||||
*/
|
|
||||||
|
|
||||||
var csrfExclude = ['/url1', '/url2'];
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Express configuration.
|
* Express configuration.
|
||||||
*/
|
*/
|
||||||
|
|
@ -91,12 +85,23 @@ app.use(session({
|
||||||
app.use(passport.initialize());
|
app.use(passport.initialize());
|
||||||
app.use(passport.session());
|
app.use(passport.session());
|
||||||
app.use(flash());
|
app.use(flash());
|
||||||
|
app.disable('x-powered-by');
|
||||||
app.use(function(req, res, next) {
|
app.use(helmet.xssFilter());
|
||||||
// CSRF protection.
|
app.use(helmet.xframe());
|
||||||
if (_.contains(csrfExclude, req.path)) { return next(); }
|
app.use(helmet.contentSecurityPolicy({
|
||||||
csrf(req, res, next);
|
defaultSrc: ["'self'", 'freecodecamp.com'],
|
||||||
});
|
scriptSrc: ['*.google-analytics.com', '*.optimizely.com', '*.googleapis.com', '*.twitter.com'],
|
||||||
|
styleSrc: ["'self'", '*.twitter.com'],
|
||||||
|
imgSrc: ["'self'", '*.amazonaws.com', '*.twitter.com', '*.twimg.com'],
|
||||||
|
fontSrc: ["'self", '*.googleapis.com', '*.twitter.com'],
|
||||||
|
mediaSrc: ['*.amazonaws.com', '*.twitter'],
|
||||||
|
frameSrc: ['*.gitter.im', '*.vimeo.com'],
|
||||||
|
// sandbox: ['allow-forms', 'allow-scripts'],
|
||||||
|
// reportUri: '/report-violation',
|
||||||
|
reportOnly: false, // set to true if you only want to report errors
|
||||||
|
setAllHeaders: false, // set to true if you want to set all headers
|
||||||
|
safari5: false // set to true if you want to force buggy CSP in Safari 5
|
||||||
|
}));
|
||||||
|
|
||||||
app.use(function(req, res, next) {
|
app.use(function(req, res, next) {
|
||||||
// Make user object available in templates.
|
// Make user object available in templates.
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,12 @@
|
||||||
|
|
||||||
|
var User = require('../models/User');
|
||||||
|
|
||||||
|
var totalUsers = User.count({}, function( err, count){
|
||||||
|
count;
|
||||||
|
});
|
||||||
|
|
||||||
|
//var usersOverTenChallenges = User.where: "this.challengesCompleted && this.challengesCompleted.length >= 10"
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* GET /
|
* GET /
|
||||||
* Resources.
|
* Resources.
|
||||||
|
|
@ -15,6 +24,14 @@ exports.privacy = function(req, res) {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
exports.statistics = function(req, res) {
|
||||||
|
res.render('statistics', {
|
||||||
|
title: 'Code Camper Statistics',
|
||||||
|
totalUsers: totalUsers,
|
||||||
|
//usersOverTenChallenges: usersOverTenChallenges
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
exports.jqueryExercises = function(req, res) {
|
exports.jqueryExercises = function(req, res) {
|
||||||
res.render('jquery-exercises', {
|
res.render('jquery-exercises', {
|
||||||
title: 'jQuery Exercises'
|
title: 'jQuery Exercises'
|
||||||
|
|
|
||||||
|
|
@ -28,17 +28,17 @@
|
||||||
"express-validator": "^2.7.0",
|
"express-validator": "^2.7.0",
|
||||||
"fbgraph": "^0.3.0",
|
"fbgraph": "^0.3.0",
|
||||||
"github-api": "^0.7.0",
|
"github-api": "^0.7.0",
|
||||||
"helmet": "^0.5.2",
|
"helmet": "^0.5.3",
|
||||||
"instagram-node": "^0.5.1",
|
"instagram-node": "^0.5.1",
|
||||||
"jade": "^1.8.0",
|
"jade": "^1.8.0",
|
||||||
"lastfm": "^0.9.2",
|
"lastfm": "^0.9.2",
|
||||||
"less": "^1.7.5",
|
"less": "^1.7.5",
|
||||||
"lodash": "^2.4.1",
|
"lodash": "^2.4.1",
|
||||||
"newrelic": "^1.13.3",
|
|
||||||
"lusca": "^1.0.2",
|
"lusca": "^1.0.2",
|
||||||
"method-override": "^2.3.0",
|
"method-override": "^2.3.0",
|
||||||
"mongoose": "^3.8.19",
|
"mongoose": "^3.8.19",
|
||||||
"morgan": "^1.5.0",
|
"morgan": "^1.5.0",
|
||||||
|
"newrelic": "^1.13.3",
|
||||||
"node-foursquare": "^0.2.1",
|
"node-foursquare": "^0.2.1",
|
||||||
"node-linkedin": "^0.3.4",
|
"node-linkedin": "^0.3.4",
|
||||||
"nodemailer": "^1.3.0",
|
"nodemailer": "^1.3.0",
|
||||||
|
|
@ -51,8 +51,8 @@
|
||||||
"passport-local": "^1.0.0",
|
"passport-local": "^1.0.0",
|
||||||
"passport-oauth": "^1.0.0",
|
"passport-oauth": "^1.0.0",
|
||||||
"passport-twitter": "^1.0.2",
|
"passport-twitter": "^1.0.2",
|
||||||
"sitemap": "^0.7.4",
|
|
||||||
"request": "^2.49.0",
|
"request": "^2.49.0",
|
||||||
|
"sitemap": "^0.7.4",
|
||||||
"stripe": "^3.0.2",
|
"stripe": "^3.0.2",
|
||||||
"tumblr.js": "^0.0.4",
|
"tumblr.js": "^0.0.4",
|
||||||
"twilio": "^1.9.0",
|
"twilio": "^1.9.0",
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ meta(name='csrf-token', content=_csrf)
|
||||||
meta(name='keywords', content='learn to code, learn how to code, code, coding, software engineer, software developer, mean stack, pair programming, node.js, angular.js, express.js, mongoDB, coding bootcamp')
|
meta(name='keywords', content='learn to code, learn how to code, code, coding, software engineer, software developer, mean stack, pair programming, node.js, angular.js, express.js, mongoDB, coding bootcamp')
|
||||||
meta(content="Learn to code at freecodecamp.com. Free Code Camp is a free coding bootcamp for busy people. Learn JavaScript, build a portfolio, and get great references - all by helping nonprofits!", property="og:title")
|
meta(content="Learn to code at freecodecamp.com. Free Code Camp is a free coding bootcamp for busy people. Learn JavaScript, build a portfolio, and get great references - all by helping nonprofits!", property="og:title")
|
||||||
meta(content="FreeCodeCamp", property="og:site_name")
|
meta(content="FreeCodeCamp", property="og:site_name")
|
||||||
|
meta(name='twitter:widgets:csp', content='on')
|
||||||
meta(content="http://www.freecodecamp.com", property="og:url")
|
meta(content="http://www.freecodecamp.com", property="og:url")
|
||||||
meta(content="Learn to code at freecodecamp.com. Free Code Camp is a free coding bootcamp for busy people. Learn JavaScript, build a portfolio, and get great references - all by helping nonprofits!", property="og:description")
|
meta(content="Learn to code at freecodecamp.com. Free Code Camp is a free coding bootcamp for busy people. Learn JavaScript, build a portfolio, and get great references - all by helping nonprofits!", property="og:description")
|
||||||
meta(content="https://pbs.twimg.com/profile_images/522961310212833280/XE6vGAaO.jpeg", property="og:image")
|
meta(content="https://pbs.twimg.com/profile_images/522961310212833280/XE6vGAaO.jpeg", property="og:image")
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue