wikijs-fork/server/middlewares/security.js

/* global WIKI */

/**
 * Security Middleware
 *
 * @param      {Express Request}   req     Express request object
 * @param      {Express Response}  res     Express response object
 * @param      {Function}          next    next callback function
 * @return     {any}               void
 */
module.exports = function (req, res, next) {
  // -> Disable X-Powered-By
  req.app.disable('x-powered-by')

  // -> Disable Frame Embedding
  if (WIKI.config.security.securityIframe) {
    res.set('X-Frame-Options', 'deny')
  }

  // -> Re-enable XSS Fitler if disabled
  res.set('X-XSS-Protection', '1; mode=block')

  // -> Disable MIME-sniffing
  res.set('X-Content-Type-Options', 'nosniff')

  // -> Disable IE Compatibility Mode
  res.set('X-UA-Compatible', 'IE=edge')

  // -> Disables referrer header when navigating to a different origin
  if (WIKI.config.security.securityReferrerPolicy) {
    res.set('Referrer-Policy', 'same-origin')
  }

  // -> Enforce HSTS
  if (WIKI.config.security.securityHSTS) {
    res.set('Strict-Transport-Security', `max-age=${WIKI.config.security.securityHSTSDuration}; includeSubDomains`)
  }

  // -> Prevent Open Redirect from user provided URL
  if (WIKI.config.security.securityOpenRedirect) {
    // Strips out all repeating / character in the provided URL
    req.url = req.url.replace(/(\/)(?=\/*\1)/g, '')
  }

  return next()
}
feat: mandatory password change on login + UI fixes 2019-08-25 02:19:35 +00:00			`/* global WIKI */`
Standard JS code conversion + fixes 2017-02-09 01:52:37 +00:00
Base Project Files 2016-08-17 00:56:55 +00:00			`/**`
			`* Security Middleware`
			`*`
			`* @param {Express Request} req Express request object`
			`* @param {Express Response} res Express response object`
			`* @param {Function} next next callback function`
			`* @return {any} void`
			`*/`
Standard JS code conversion + fixes 2017-02-09 01:52:37 +00:00			`module.exports = function (req, res, next) {`
			`// -> Disable X-Powered-By`
feat: GraphQL base implementation 2017-07-25 02:37:13 +00:00			`req.app.disable('x-powered-by')`
Base Project Files 2016-08-17 00:56:55 +00:00
Standard JS code conversion + fixes 2017-02-09 01:52:37 +00:00			`// -> Disable Frame Embedding`
fix: Open Redirect Vulnerability Mitigation - CWE 601 (#1963) * Open redirect vulnerabilty mitigation * Refacted Open Redirect to user configurable and corrected incorrect security variable names. Co-authored-by: danallendds <daniel.allen@friends.dds.mil> 2020-05-29 22:24:20 +00:00			`if (WIKI.config.security.securityIframe) {`
feat: mandatory password change on login + UI fixes 2019-08-25 02:19:35 +00:00			`res.set('X-Frame-Options', 'deny')`
			`}`
Base Project Files 2016-08-17 00:56:55 +00:00
Standard JS code conversion + fixes 2017-02-09 01:52:37 +00:00			`// -> Re-enable XSS Fitler if disabled`
			`res.set('X-XSS-Protection', '1; mode=block')`
Base Project Files 2016-08-17 00:56:55 +00:00
Standard JS code conversion + fixes 2017-02-09 01:52:37 +00:00			`// -> Disable MIME-sniffing`
			`res.set('X-Content-Type-Options', 'nosniff')`
Base Project Files 2016-08-17 00:56:55 +00:00
Standard JS code conversion + fixes 2017-02-09 01:52:37 +00:00			`// -> Disable IE Compatibility Mode`
			`res.set('X-UA-Compatible', 'IE=edge')`
Base Project Files 2016-08-17 00:56:55 +00:00
Added Referrer Policy 2017-10-13 03:24:48 +00:00			`// -> Disables referrer header when navigating to a different origin`
fix: Open Redirect Vulnerability Mitigation - CWE 601 (#1963) * Open redirect vulnerabilty mitigation * Refacted Open Redirect to user configurable and corrected incorrect security variable names. Co-authored-by: danallendds <daniel.allen@friends.dds.mil> 2020-05-29 22:24:20 +00:00			`if (WIKI.config.security.securityReferrerPolicy) {`
feat: mandatory password change on login + UI fixes 2019-08-25 02:19:35 +00:00			`res.set('Referrer-Policy', 'same-origin')`
			`}`

			`// -> Enforce HSTS`
fix: Open Redirect Vulnerability Mitigation - CWE 601 (#1963) * Open redirect vulnerabilty mitigation * Refacted Open Redirect to user configurable and corrected incorrect security variable names. Co-authored-by: danallendds <daniel.allen@friends.dds.mil> 2020-05-29 22:24:20 +00:00			`if (WIKI.config.security.securityHSTS) {`
fix: HSTS header max-age value (#3225) 2021-03-19 01:53:55 +00:00			res.set('Strict-Transport-Security', `max-age=${WIKI.config.security.securityHSTSDuration}; includeSubDomains`)
feat: mandatory password change on login + UI fixes 2019-08-25 02:19:35 +00:00			`}`
Base Project Files 2016-08-17 00:56:55 +00:00
fix: Open Redirect Vulnerability Mitigation - CWE 601 (#1963) * Open redirect vulnerabilty mitigation * Refacted Open Redirect to user configurable and corrected incorrect security variable names. Co-authored-by: danallendds <daniel.allen@friends.dds.mil> 2020-05-29 22:24:20 +00:00			`// -> Prevent Open Redirect from user provided URL`
			`if (WIKI.config.security.securityOpenRedirect) {`
			`// Strips out all repeating / character in the provided URL`
fix: admin security UI 2020-05-30 20:42:48 +00:00			`req.url = req.url.replace(/(\/)(?=\/*\1)/g, '')`
fix: Open Redirect Vulnerability Mitigation - CWE 601 (#1963) * Open redirect vulnerabilty mitigation * Refacted Open Redirect to user configurable and corrected incorrect security variable names. Co-authored-by: danallendds <daniel.allen@friends.dds.mil> 2020-05-29 22:24:20 +00:00			`}`

Standard JS code conversion + fixes 2017-02-09 01:52:37 +00:00			`return next()`
			`}`