Dinawo/CDN-APP-INSIDER
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
2df1b28962614449dfe49524ea852be9c720f99c
CDN-APP-INSIDER/Middlewares/securityHeadersMiddleware.js
Dinawo 2df1b28962
All checks were successful
continuous-integration/drone/push Build is passing
Details
Update v1.2.0-beta - Dynamic context menu & permissions 
 New Features:
- Dynamic permission-based context menus for files and folders
- Support for collaborative folder access control
- Upload to specific folders including shared folders
- Changelog modal for version updates
- Improved dark mode synchronization

🐛 Bug Fixes:
- Fixed context menu displaying incorrect options
- Fixed CSS !important override preventing dynamic menu behavior
- Fixed folder collaboration permission checks
- Fixed breadcrumb navigation with empty segments
- Fixed "Premature close" error loop in attachments
- Fixed missing user variable in admin routes
- Fixed avatar loading COEP policy issues

🔒 Security:
- Added security middleware (CSRF, rate limiting, input validation)
- Fixed collaboration folder access validation
- Improved shared folder permission handling

🎨 UI/UX Improvements:
- Removed Actions column from folder view
- Context menu now properly hides/shows based on permissions
- Better visual feedback for collaborative folders
- Improved upload flow with inline modals

🧹 Code Quality:
- Added collaboration data to folder routes
- Refactored context menu logic for better maintainability
- Added debug logging for troubleshooting
- Improved file upload handling with chunking support
2025-10-25 23:55:51 +02:00

77 lines
2.9 KiB
JavaScript
Raw Blame History

/**
* Middleware de sécurité pour ajouter les headers HTTP sécurisés
* Conforme aux bonnes pratiques OWASP
*/
const securityHeadersMiddleware = (req, res, next) => {
// Désactive l'envoi de l'en-tête X-Powered-By pour ne pas révéler la stack technique
res.removeHeader('X-Powered-By');
// Content Security Policy (CSP) - Protège contre les attaques XSS
res.setHeader(
'Content-Security-Policy',
[
"default-src 'self'",
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://code.jquery.com https://cdnjs.cloudflare.com https://maxcdn.bootstrapcdn.com https://cdn.jsdelivr.net https://cdn.tailwindcss.com",
"style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://fonts.googleapis.com",
"img-src 'self' data: https: blob:",
"font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com",
"connect-src 'self' ws: wss: https://cdnjs.cloudflare.com https://maxcdn.bootstrapcdn.com",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'"
].join('; ')
);
// X-Content-Type-Options - Empêche le navigateur de deviner le type MIME
res.setHeader('X-Content-Type-Options', 'nosniff');
// X-Frame-Options - Protège contre le clickjacking
res.setHeader('X-Frame-Options', 'DENY');
// X-XSS-Protection - Active la protection XSS du navigateur
res.setHeader('X-XSS-Protection', '1; mode=block');
// Strict-Transport-Security (HSTS) - Force HTTPS
if (req.secure || process.env.NODE_ENV === 'production') {
res.setHeader(
'Strict-Transport-Security',
'max-age=31536000; includeSubDomains; preload'
);
}
// Referrer-Policy - Contrôle les informations de référence envoyées
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
// Permissions-Policy - Contrôle les fonctionnalités du navigateur
res.setHeader(
'Permissions-Policy',
[
'camera=()',
'microphone=()',
'geolocation=()',
'payment=()',
'usb=()',
'magnetometer=()',
'accelerometer=()',
'gyroscope=()'
].join(', ')
);
// X-Permitted-Cross-Domain-Policies - Restreint les politiques cross-domain
res.setHeader('X-Permitted-Cross-Domain-Policies', 'none');
// Cross-Origin-Embedder-Policy - Désactivé pour permettre les ressources externes (avatars, images CDN)
// res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp');
// Cross-Origin-Opener-Policy - Isole le contexte de navigation
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
// Cross-Origin-Resource-Policy - Contrôle le partage de ressources
res.setHeader('Cross-Origin-Resource-Policy', 'same-origin');
next();
};
module.exports = securityHeadersMiddleware;
Reference in New Issue View Git Blame Copy Permalink