wikijs-fork/server/middlewares/security.js
daneallen 20e6bc1a70
fix: Open Redirect Vulnerability Mitigation - CWE 601 (#1963)
* Open redirect vulnerabilty mitigation

* Refacted Open Redirect to user configurable and corrected incorrect security variable names.

Co-authored-by: danallendds <daniel.allen@friends.dds.mil>
2020-05-29 18:24:20 -04:00

47 lines
1.3 KiB
JavaScript

/* global WIKI */
/**
* Security Middleware
*
* @param {Express Request} req Express request object
* @param {Express Response} res Express response object
* @param {Function} next next callback function
* @return {any} void
*/
module.exports = function (req, res, next) {
// -> Disable X-Powered-By
req.app.disable('x-powered-by')
// -> Disable Frame Embedding
if (WIKI.config.security.securityIframe) {
res.set('X-Frame-Options', 'deny')
}
// -> Re-enable XSS Fitler if disabled
res.set('X-XSS-Protection', '1; mode=block')
// -> Disable MIME-sniffing
res.set('X-Content-Type-Options', 'nosniff')
// -> Disable IE Compatibility Mode
res.set('X-UA-Compatible', 'IE=edge')
// -> Disables referrer header when navigating to a different origin
if (WIKI.config.security.securityReferrerPolicy) {
res.set('Referrer-Policy', 'same-origin')
}
// -> Enforce HSTS
if (WIKI.config.security.securityHSTS) {
res.set('Strict-Transport-Security', `max-age=${WIKI.config.securityHSTSDuration}; includeSubDomains`)
}
// -> Prevent Open Redirect from user provided URL
if (WIKI.config.security.securityOpenRedirect) {
// Strips out all repeating / character in the provided URL
req.url = req.url.replace(/(\/)(?=\/*\1)/g, "")
}
return next()
}