lemmy-ui/src/server/middleware.ts

67 lines
1.7 KiB
TypeScript
Raw Normal View History

import * as crypto from "crypto";
2023-06-29 17:14:48 +00:00
import type { NextFunction, Request, Response } from "express";
2023-06-30 14:04:01 +00:00
import { hasJwtCookie } from "./utils/has-jwt-cookie";
export function setDefaultCsp({
res,
next,
}: {
res: Response;
next: NextFunction;
}) {
res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
res.setHeader(
"Content-Security-Policy",
`default-src 'self';
manifest-src *;
connect-src *;
img-src * data:;
script-src 'self' 'nonce-${res.locals.cspNonce}';
style-src 'self' 'unsafe-inline';
form-action 'self';
base-uri 'self';
2023-11-13 17:45:27 +00:00
blob: 'self';
frame-src *;
media-src * data:`.replace(/\s+/g, " "),
);
next();
}
// Set cache-control headers. If user is logged in, set `private` to prevent storing data in
// shared caches (eg nginx) and leaking of private data. If user is not logged in, allow caching
// all responses for 5 seconds to reduce load on backend and database. The specific cache
// interval is rather arbitrary and could be set higher (less server load) or lower (fresher data).
//
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
2023-06-30 14:04:01 +00:00
export function setCacheControl(
req: Request,
res: Response,
next: NextFunction,
2023-06-30 14:04:01 +00:00
) {
2023-06-30 13:42:09 +00:00
if (process.env.NODE_ENV !== "production") {
return next();
}
2023-06-30 14:04:19 +00:00
let caching: string;
2023-06-29 17:14:48 +00:00
if (
2023-06-30 13:42:09 +00:00
req.path.match(/\.(js|css|txt|manifest\.webmanifest)\/?$/) ||
req.path.includes("/css/themelist")
2023-06-29 17:14:48 +00:00
) {
// Static content gets cached publicly for a day
caching = "public, max-age=86400";
} else {
2023-06-30 14:04:01 +00:00
if (hasJwtCookie(req)) {
2023-06-29 17:14:48 +00:00
caching = "private";
} else {
caching = "public, max-age=60";
2023-06-29 17:14:48 +00:00
}
}
res.setHeader("Cache-Control", caching);
next();
}