update helmet version to improve security and take on CSP patches (mi…

…crosoft#4572) * update helmet version to improve security and take on CSP patches * add content security policy for creator
mihsta · Apr 9, 2021 · 8933c5b · 8933c5b
1 parent 636f7cd
commit 8933c5b
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/sites/site-utilities/statics/server/package.json b/sites/site-utilities/statics/server/package.json
@@ -12,6 +12,6 @@
   "dependencies": {
     "express": "4.17.1",
     "express-history-api-fallback": "2.2.1",
-    "helmet": "4.0.0"
+    "helmet": "4.4.1"
   }
 }
diff --git a/sites/site-utilities/statics/server/server.js b/sites/site-utilities/statics/server/server.js
@@ -7,6 +7,7 @@ var path = require("path");
 // Create application
 var app = express();
 
+// Configure application security with Helmet
 app.use(helmet.dnsPrefetchControl());
 app.use(helmet.expectCt());
 app.use(helmet.frameguard());
@@ -17,6 +18,22 @@ app.use(helmet.noSniff());
 app.use(helmet.permittedCrossDomainPolicies());
 app.use(helmet.referrerPolicy());
 
+// Manage CSP Policy for Creator Application only
+if (process.env.WEBSITE_HOSTNAME.indexOf("create") > -1) {
+    app.use(
+        helmet.contentSecurityPolicy({
+            directives: {
+                defaultSrc: ["'self'"],
+                fontSrc: ["'self' use.typekit.net static.fast.design c.s-microsoft.com"],
+                frameAncestors: [`'self' ${process.env.FRAME_ANCESTOR_PARTNER}`],
+                imgSrc: ["'self' data: *.fast.design"],
+                scriptSrc: ["'self' 'unsafe-eval'"],
+                styleSrc: ["'self' https: 'unsafe-inline'"],
+            },
+        })
+    );
+}
+
 // Set public directory
 var publicDir = path.resolve(__dirname);