1
0
mirror of https://github.com/nolanlawson/pinafore synced 2025-01-19 08:19:54 +01:00
Pinafore-Web-Client-Frontend/server.js
Nolan Lawson 4b2e3f030a
disable CSP for /report.html (#151)
* disable CSP for /report.html

Fixes #150

* enable minimal helmet() for debug paths
2018-04-17 18:38:14 -07:00

63 lines
1.6 KiB
JavaScript

const express = require('express')
const compression = require('compression')
const sapper = require('sapper')
const serveStatic = require('serve-static')
const app = express()
const helmet = require('helmet')
const headScriptChecksum = require('./inline-script-checksum').checksum
const { PORT = 4002 } = process.env
// this allows us to do e.g. `fetch('/_api/blog')` on the server
const fetch = require('node-fetch')
global.fetch = (url, opts) => {
if (url[0] === '/') {
url = `http://localhost:${PORT}${url}`
}
return fetch(url, opts)
}
const debugPaths = ['/report.html', '/stats.json']
const debugOnly = (fn) => (req, res, next) => (
!~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
)
const nonDebugOnly = (fn) => (req, res, next) => (
~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
)
app.use(compression({ threshold: 0 }))
// report.html needs to have CSP disable because it has inline scripts
app.use(debugOnly(helmet()))
app.use(nonDebugOnly(helmet({
contentSecurityPolicy: {
directives: {
scriptSrc: [`'self'`, `'sha256-${headScriptChecksum}'`],
workerSrc: [`'self'`],
styleSrc: [`'self'`, `'unsafe-inline'`],
frameSrc: [`'none'`],
objectSrc: [`'none'`],
manifestSrc: [`'self'`]
}
}
})))
app.use(serveStatic('assets', {
setHeaders: (res) => {
res.setHeader('Cache-Control', 'public,max-age=600')
}
}))
debugPaths.forEach(debugPath => {
app.use(debugPath, express.static(`.sapper/client${debugPath}`))
})
app.use(sapper())
app.listen(PORT, () => {
console.log(`listening on port ${PORT}`)
})