andras/fizika
1
0
Fork 0
Code Issues Pull requests 2 Projects Releases Packages Wiki Activity Actions

Fix CSP for real

Browse source
This commit is contained in:
Andras Schmelczer 2025-08-31 15:30:15 +01:00
parent 097d678658
commit d1bb824b57
No known key found for this signature in database
GPG key ID: FC8F2C3D3D1A718C
2 changed files with 13 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

4
backend/public/index.html
View file

@ -4,10 +4,6 @@
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Fizika Admin - Kérdések és képek kezelése</title>
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self'; script-src https://stats.schmelczer.dev; connect-src https://stats.schmelczer.dev"
/>
<script
defer
data-domain="fizika.schmelczer.dev"

15
backend/server.js
View file

@ -9,7 +9,18 @@ const app = express();
const PORT = process.env.PORT || 3001;
// Security middleware
app.use(helmet());
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'", "'unsafe-inline'"],
scriptSrc: [
"'self'",
"https://stats.schmelczer.dev",
"'unsafe-inline'",
],
},
},
}));
app.use(cors({
origin: process.env.FRONTEND_URL || '*',
credentials: true
@ -34,7 +45,7 @@ const storage = multer.diskStorage({
const upload = multer({
storage: storage,
limits: { fileSize: 5 * 1024 * 1024 }, // 5MB
limits: { fileSize: 50 * 1024 * 1024 }, // 5MB
fileFilter: (req, file, cb) => {
if (file.mimetype.startsWith('image/')) {
cb(null, true);