server/server.js — added helmet with CSP configured to allow Google Fonts
Dockerfile — creates a non-root app user and runs the process under it server/routes.js — tailscale_ip validated against IPv4 regex (empty string still allowed) index.html — sql.js CDN script tag already removed earlier in this session
This commit is contained in:
@@ -22,6 +22,9 @@ function validate(body) {
|
||||
errors.push(`state must be one of: ${VALID_STATES.join(', ')}`);
|
||||
if (!VALID_STACKS.includes(body.stack))
|
||||
errors.push(`stack must be one of: ${VALID_STACKS.join(', ')}`);
|
||||
const ip = (body.tailscale_ip ?? '').trim();
|
||||
if (ip && !/^(\d{1,3}\.){3}\d{1,3}$/.test(ip))
|
||||
errors.push('tailscale_ip must be a valid IPv4 address or empty');
|
||||
return errors;
|
||||
}
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import express from 'express';
|
||||
import helmet from 'helmet';
|
||||
import { fileURLToPath } from 'url';
|
||||
import { dirname, join } from 'path';
|
||||
import { router } from './routes.js';
|
||||
@@ -8,6 +9,15 @@ const PORT = process.env.PORT ?? 3000;
|
||||
|
||||
export const app = express();
|
||||
|
||||
app.use(helmet({
|
||||
contentSecurityPolicy: {
|
||||
directives: {
|
||||
...helmet.contentSecurityPolicy.getDefaultDirectives(),
|
||||
'style-src': ["'self'", 'https://fonts.googleapis.com'],
|
||||
'font-src': ["'self'", 'https://fonts.gstatic.com'],
|
||||
},
|
||||
},
|
||||
}));
|
||||
app.use(express.json());
|
||||
|
||||
// API
|
||||
|
||||
Reference in New Issue
Block a user