Fork: 0
jason / express-blog
Transfer to URL with SHA Find file
Newer
Older
express-blog / src / middleware / applyProductionSecurity.js
@Jason Jason on 10 Jul 1 KB modified: src/app.js
Raw Blame History 
const helmet = require("helmet");
const hpp = require("hpp");
const xssSanitizer = require("./xssSanitizer");
const HttpError = require("../utils/HttpError");
const { baseUrl } = require("../utils/baseUrl");

const applyProductionSecurity = [
  (req, res, next) => {
    req.app.disable("x-powered-by");
    req.app.set("trust proxy", true);
    next();
  },
  (req, res, next) => {
    const forwardedIp = req.ip;
    const directIp = req.connection.remoteAddress;

    req.log?.info?.(`Forwarded IP: ${forwardedIp}`);
    req.log?.info?.(`Direct IP: ${directIp}`);
    next();
  },
  hpp(),
  xssSanitizer,
  // rateLimit middleware can be added here
  (req, res, next) => {
    const host = req.hostname;
    if (["127.0.0.1", "localhost"].includes(host)) {
      return next(new HttpError("Forbidden", 403));
    }
    next();
  },
  helmet.hsts({ maxAge: 63072000 }),
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'", baseUrl],
      scriptSrc: ["'self'", "https://hcaptcha.com"],
      styleSrc: ["'self'", "https:"],
      imgSrc: [
        "'self'",
        "data:",
        "https://licensebuttons.net",
        "https://cdn.jsdelivr.net",
      ],
      frameSrc: ["'self'", "https://newassets.hcaptcha.com"],
      objectSrc: ["'none'"],
      upgradeInsecureRequests: [],
    },
  }),
];

module.exports = applyProductionSecurity;