feat: mandatory password change on login + UI fixes

2019-08-24 22:19:35 -04:00
parent 38008f0460
commit d3e693ab46
40 changed files with 1468 additions and 1064 deletions
--- a/server/middlewares/security.js
+++ b/server/middlewares/security.js
@@ -1,4 +1,4 @@
-'use strict'
+/* global WIKI */

 /**
 * Security Middleware
@@ -13,7 +13,9 @@ module.exports = function (req, res, next) {
  req.app.disable('x-powered-by')

  // -> Disable Frame Embedding
-  res.set('X-Frame-Options', 'deny')
+  if (WIKI.config.securityIframe) {
+    res.set('X-Frame-Options', 'deny')
+  }

  // -> Re-enable XSS Fitler if disabled
  res.set('X-XSS-Protection', '1; mode=block')
@@ -25,7 +27,14 @@ module.exports = function (req, res, next) {
  res.set('X-UA-Compatible', 'IE=edge')

  // -> Disables referrer header when navigating to a different origin
-  res.set('Referrer-Policy', 'same-origin')
+  if (WIKI.config.securityReferrerPolicy) {
+    res.set('Referrer-Policy', 'same-origin')
+  }
+
+  // -> Enforce HSTS
+  if (WIKI.config.securityHSTS) {
+    res.set('Strict-Transport-Security', `max-age=${WIKI.config.securityHSTSDuration}; includeSubDomains`)
+  }

  return next()
 }