UNPKG

@digicms/cms

Version:

An open source headless CMS solution to create and manage your own API. It provides a powerful dashboard and features to make your life easier. Databases supported: MySQL, MariaDB, PostgreSQL, SQLite

strapi.io

strapi/strapi

58 lines (50 loc) 1.48 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
'use strict'; const { defaultsDeep, merge } = require('lodash/fp'); const helmet = require('koa-helmet'); const defaults = { crossOriginEmbedderPolicy: false, crossOriginOpenerPolicy: false, crossOriginResourcePolicy: false, originAgentCluster: false, contentSecurityPolicy: { useDefaults: true, directives: { 'connect-src': ["'self'", 'https:'], 'img-src': ["'self'", 'data:', 'blob:', 'https://dl.airtable.com'], 'media-src': ["'self'", 'data:', 'blob:'], upgradeInsecureRequests: null, }, }, xssFilter: false, hsts: { maxAge: 31536000, includeSubDomains: true, }, frameguard: { action: 'sameorigin', }, }; /** * @type {import('./').MiddlewareFactory} */ module.exports = (config, { strapi }) => (ctx, next) => { let helmetConfig = defaultsDeep(defaults, config); const specialPaths = ['/documentation']; if (strapi.plugin('graphql')) { const { config: gqlConfig } = strapi.plugin('graphql'); specialPaths.push(gqlConfig('endpoint')); } if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) { helmetConfig = merge(helmetConfig, { contentSecurityPolicy: { directives: { 'script-src': ["'self'", "'unsafe-inline'", 'cdn.jsdelivr.net'], 'img-src': ["'self'", 'data:', 'cdn.jsdelivr.net', 'strapi.io'], }, }, }); } return helmet(helmetConfig)(ctx, next); };