Dateien nach "backend/src" hochladen
This commit is contained in:
@@ -7,6 +7,29 @@ require('./db');
|
||||
const app = express();
|
||||
app.use(express.json());
|
||||
|
||||
// ── Security Headers ──────────────────────────────────────────────────────────
|
||||
app.use((_req, res, next) => {
|
||||
res.setHeader('Content-Security-Policy', [
|
||||
"default-src 'self'",
|
||||
"script-src 'self'",
|
||||
// unsafe-inline nötig für React inline-styles + @import Google Fonts
|
||||
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
|
||||
"font-src 'self' https://fonts.gstatic.com",
|
||||
// iCal-Feeds werden serverseitig geprosxt → nur 'self' nötig
|
||||
"connect-src 'self'",
|
||||
// data: für Avatare (base64), google.com für Favicons im QuickLinks-Widget
|
||||
"img-src 'self' data: https://www.google.com",
|
||||
"worker-src 'self'",
|
||||
"object-src 'none'",
|
||||
"base-uri 'self'",
|
||||
"form-action 'self'",
|
||||
].join('; '));
|
||||
res.setHeader('X-Content-Type-Options', 'nosniff');
|
||||
res.setHeader('X-Frame-Options', 'DENY');
|
||||
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
|
||||
next();
|
||||
});
|
||||
|
||||
// ── API ───────────────────────────────────────────────────────────────────────
|
||||
app.use('/api/auth', require('./routes/auth'));
|
||||
app.use('/api/admin', require('./routes/admin'));
|
||||
|
||||
Reference in New Issue
Block a user