2019-08-25 02:19:35 +00:00
|
|
|
/* global WIKI */
|
2017-02-09 01:52:37 +00:00
|
|
|
|
2016-08-17 00:56:55 +00:00
|
|
|
/**
|
|
|
|
|
* Security Middleware
|
|
|
|
|
*
|
|
|
|
|
* @param {Express Request} req Express request object
|
|
|
|
|
* @param {Express Response} res Express response object
|
|
|
|
|
* @param {Function} next next callback function
|
|
|
|
|
* @return {any} void
|
|
|
|
|
*/
|
2017-02-09 01:52:37 +00:00
|
|
|
module.exports = function (req, res, next) {
|
|
|
|
|
// -> Disable X-Powered-By
|
2017-07-25 02:37:13 +00:00
|
|
|
req.app.disable('x-powered-by')
|
2016-08-17 00:56:55 +00:00
|
|
|
|
2017-02-09 01:52:37 +00:00
|
|
|
// -> Disable Frame Embedding
|
2020-05-29 22:24:20 +00:00
|
|
|
if (WIKI.config.security.securityIframe) {
|
2019-08-25 02:19:35 +00:00
|
|
|
res.set('X-Frame-Options', 'deny')
|
|
|
|
|
}
|
2016-08-17 00:56:55 +00:00
|
|
|
|
2017-02-09 01:52:37 +00:00
|
|
|
// -> Re-enable XSS Fitler if disabled
|
|
|
|
|
res.set('X-XSS-Protection', '1; mode=block')
|
2016-08-17 00:56:55 +00:00
|
|
|
|
2017-02-09 01:52:37 +00:00
|
|
|
// -> Disable MIME-sniffing
|
|
|
|
|
res.set('X-Content-Type-Options', 'nosniff')
|
2016-08-17 00:56:55 +00:00
|
|
|
|
2017-02-09 01:52:37 +00:00
|
|
|
// -> Disable IE Compatibility Mode
|
|
|
|
|
res.set('X-UA-Compatible', 'IE=edge')
|
2016-08-17 00:56:55 +00:00
|
|
|
|
2017-10-13 03:24:48 +00:00
|
|
|
// -> Disables referrer header when navigating to a different origin
|
2020-05-29 22:24:20 +00:00
|
|
|
if (WIKI.config.security.securityReferrerPolicy) {
|
2019-08-25 02:19:35 +00:00
|
|
|
res.set('Referrer-Policy', 'same-origin')
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// -> Enforce HSTS
|
2020-05-29 22:24:20 +00:00
|
|
|
if (WIKI.config.security.securityHSTS) {
|
2021-03-19 01:53:55 +00:00
|
|
|
res.set('Strict-Transport-Security', `max-age=${WIKI.config.security.securityHSTSDuration}; includeSubDomains`)
|
2019-08-25 02:19:35 +00:00
|
|
|
}
|
2016-08-17 00:56:55 +00:00
|
|
|
|
2020-05-29 22:24:20 +00:00
|
|
|
// -> Prevent Open Redirect from user provided URL
|
|
|
|
|
if (WIKI.config.security.securityOpenRedirect) {
|
|
|
|
|
// Strips out all repeating / character in the provided URL
|
2020-05-30 20:42:48 +00:00
|
|
|
req.url = req.url.replace(/(\/)(?=\/*\1)/g, '')
|
2020-05-29 22:24:20 +00:00
|
|
|
}
|
|
|
|
|
|
2017-02-09 01:52:37 +00:00
|
|
|
return next()
|
|
|
|
|
}
|
