simon/ifb-schulapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2de6309832f21e0ab529dd9ab06509bf3bdbea7
ifb-schulapp/index.js
T
Simon b2de630983 harden security: enforce JWT_SECRET, helmet, CSP, stricter rate limits 
- Require JWT_SECRET env var (fatal exit if missing)
- Add helmet middleware with custom CSP
- Cookie Secure flag when NODE_ENV=production
- requireAuth re-verifies user.status from DB on every request
- class_events DELETE restricted to creator or admin
- Rate limit /register (5/hr) and PUT /me/password (5/15min)
- Password minimum 6 to 8 chars
- crudRoutes truncates strings to 1000 chars
- Remove application/octet-stream from allowed upload MIMEs
2026-04-17 23:40:27 +02:00

47 lines
1.5 KiB
JavaScript
Raw Blame History

const express = require('express');
const cookieParser = require('cookie-parser');
const helmet = require('helmet');
const path = require('path');
const routes = require('./src/routes');
const { router: filesRouter } = require('./src/files');
const teacherRouter = require('./src/teacher');
if (!process.env.JWT_SECRET) {
console.error('FATAL: JWT_SECRET environment variable is not set.');
process.exit(1);
}
const app = express();
const PORT = 3010;
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", 'unpkg.com'],
scriptSrcAttr: ["'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'],
fontSrc: ["'self'", 'https://fonts.gstatic.com'],
imgSrc: ["'self'", 'data:'],
connectSrc: ["'self'", 'https://api.open-meteo.com'],
frameAncestors: ["'none'"],
objectSrc: ["'none'"],
},
},
}));
app.use(express.json());
app.use(cookieParser());
app.use(express.static(path.join(__dirname, 'public')));
app.use('/api', routes);
app.use('/api/files', filesRouter);
app.use('/api/teacher', teacherRouter);
const html = f => (req, res) => res.sendFile(path.join(__dirname, 'public', f));
app.get('/login', html('login.html'));
app.get('/admin', html('admin.html'));
app.get('/datenschutz', html('datenschutz.html'));
app.get('/{*path}', html('index.html'));
app.listen(PORT, '127.0.0.1', () => console.log(`info1 läuft auf :${PORT}`));
Reference in New Issue View Git Blame Copy Permalink