topaLE
/
ghostfolio
mirror of https://github.com/ghostfolio/ghostfolio
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

feat(api): exclude storybook from helmet

pull/4437/head
KenTandrian 1 month ago
parent
8802f574e9
commit
e86e45b750
1 changed files with 21 additions and 14 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 35
      apps/api/src/main.ts

35
apps/api/src/main.ts
View File

@ -1,3 +1,5 @@
import { STORYBOOK_PATH } from '@ghostfolio/common/config';
import { import {
Logger, Logger,
LogLevel, LogLevel,
@ -7,6 +9,7 @@ import {
import { ConfigService } from '@nestjs/config'; import { ConfigService } from '@nestjs/config';
import { NestFactory } from '@nestjs/core'; import { NestFactory } from '@nestjs/core';
import type { NestExpressApplication } from '@nestjs/platform-express'; import type { NestExpressApplication } from '@nestjs/platform-express';
import { NextFunction, Request, Response } from 'express';
import helmet from 'helmet'; import helmet from 'helmet';
import { AppModule } from './app/app.module'; import { AppModule } from './app/app.module';
@ -50,20 +53,24 @@ async function bootstrap() {
app.useBodyParser('json', { limit: '10mb' }); app.useBodyParser('json', { limit: '10mb' });
if (configService.get<string>('ENABLE_FEATURE_SUBSCRIPTION') === 'true') { if (configService.get<string>('ENABLE_FEATURE_SUBSCRIPTION') === 'true') {
app.use( app.use((req: Request, res: Response, next: NextFunction) => {
helmet({ if (req.path.startsWith(STORYBOOK_PATH)) {
contentSecurityPolicy: { next();
directives: { } else {
connectSrc: ["'self'", 'https://js.stripe.com'], // Allow connections to Stripe helmet({
frameSrc: ["'self'", 'https://js.stripe.com'], // Allow loading frames from Stripe contentSecurityPolicy: {
scriptSrc: ["'self'", "'unsafe-inline'", 'https://js.stripe.com'], // Allow inline scripts and scripts from Stripe directives: {
scriptSrcAttr: ["'self'", "'unsafe-inline'"], // Allow inline event handlers connectSrc: ["'self'", 'https://js.stripe.com'], // Allow connections to Stripe
styleSrc: ["'self'", "'unsafe-inline'"] // Allow inline styles frameSrc: ["'self'", 'https://js.stripe.com'], // Allow loading frames from Stripe
} scriptSrc: ["'self'", "'unsafe-inline'", 'https://js.stripe.com'], // Allow inline scripts and scripts from Stripe
}, scriptSrcAttr: ["'self'", "'unsafe-inline'"], // Allow inline event handlers
crossOriginOpenerPolicy: false // Disable Cross-Origin-Opener-Policy header (for Internet Identity) styleSrc: ["'self'", "'unsafe-inline'"] // Allow inline styles
}) }
); },
crossOriginOpenerPolicy: false // Disable Cross-Origin-Opener-Policy header (for Internet Identity)
})(req, res, next);
}
});
} }
app.use(HtmlTemplateMiddleware); app.use(HtmlTemplateMiddleware);

Write Preview
Loading…
Cancel
Save