diff --git a/Middlewares/securityHeadersMiddleware.js b/Middlewares/securityHeadersMiddleware.js index ba34527..7160f45 100644 --- a/Middlewares/securityHeadersMiddleware.js +++ b/Middlewares/securityHeadersMiddleware.js @@ -67,8 +67,26 @@ const securityHeadersMiddleware = (req, res, next) => { // Cross-Origin-Opener-Policy - Isole le contexte de navigation res.setHeader('Cross-Origin-Opener-Policy', 'same-origin'); - // Cross-Origin-Resource-Policy - Contrôle le partage de ressources - res.setHeader('Cross-Origin-Resource-Policy', 'same-origin'); + // CORS Headers pour CDN - Permet l'accès cross-origin aux ressources publiques + const isPublicResource = req.path.startsWith('/public/') || + req.path.startsWith('/cdn-files/') || + req.path.startsWith('/attachments') || + req.path.match(/\.(png|jpg|jpeg|gif|svg|webp|ico|css|js|woff|woff2|ttf|eot)$/i); + + if (isPublicResource) { + // Autoriser toutes les origines pour les ressources publiques du CDN + res.setHeader('Access-Control-Allow-Origin', '*'); + res.setHeader('Access-Control-Allow-Methods', 'GET, HEAD, OPTIONS'); + res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Accept, Range'); + res.setHeader('Access-Control-Expose-Headers', 'Content-Length, Content-Range, Content-Type'); + res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin'); + + // Cache control pour les ressources statiques + res.setHeader('Cache-Control', 'public, max-age=31536000, immutable'); + } else { + // Routes sensibles : garder la sécurité stricte + res.setHeader('Cross-Origin-Resource-Policy', 'same-origin'); + } next(); }; diff --git a/package.json b/package.json index f2c7a73..399bbd4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@cdn-app/insider-myaxrin-labs-dinawo", - "version": "1.2.0-beta", + "version": "1.2.1-beta", "description": "", "main": "server.js", "scripts": {