From 149a0aec6d430e8daee6ef7e34e8bcae68ced4e7 Mon Sep 17 00:00:00 2001 From: VLE2FE Date: Tue, 28 Jul 2020 13:59:13 +0200 Subject: [PATCH] api and headers --- src/api.ts | 2 +- src/index.ts | 22 +++++++++++++--------- static/styles/swagger-ui.css | 22 ++++++++++++++++++++++ 3 files changed, 36 insertions(+), 10 deletions(-) diff --git a/src/api.ts b/src/api.ts index d82a99e..8988cf1 100644 --- a/src/api.ts +++ b/src/api.ts @@ -125,7 +125,7 @@ window.onload = function() { plugins: [ SwaggerUIBundle.plugins.DownloadUrl ], - layout: 'StandaloneLayout' + layout: "StandaloneLayout", }); } `; \ No newline at end of file diff --git a/src/index.ts b/src/index.ts index b7b5e2e..6771860 100644 --- a/src/index.ts +++ b/src/index.ts @@ -8,7 +8,7 @@ import cors from 'cors'; import api from './api'; import db from './db'; -// TODO: working demo branch +// TODO: check header, also in UI // tell if server is running in debug or production environment console.info(process.env.NODE_ENV === 'production' ? '===== PRODUCTION =====' : process.env.NODE_ENV === 'test' ? '' :'===== DEVELOPMENT ====='); @@ -25,7 +25,7 @@ app.disable('x-powered-by'); const port = process.env.PORT || 3000; // security headers -app.use(helmet({ +const defaultHeaderConfig = { contentSecurityPolicy: { directives: { defaultSrc: [`'none'`], @@ -33,23 +33,27 @@ app.use(helmet({ formAction: [`'none'`], frameAncestors: [`'none'`] } - } -})); + }, + frameguard: { + action: 'deny' + }, + permittedCrossDomainPolicies: true, + refererPolicy: true +}; +app.use(helmet(defaultHeaderConfig)); // special CSP header for api-doc app.use('/api-doc', helmet.contentSecurityPolicy({ + ...defaultHeaderConfig, directives: { - defaultSrc: [`'none'`], scriptSrc: [`'self'`], connectSrc: [`'self'`], styleSrc: [`'self'`, `'unsafe-inline'`], - imgSrc: [`'self'`, 'data:'], - baseUri: [`'self'`], - formAction: [`'none'`], - frameAncestors: [`'none'`] + imgSrc: [`'self'`, 'data:'] } })); // special CSP header for the bosch-logo.svg app.use('/static/img/bosch-logo.svg', helmet.contentSecurityPolicy({ + ...defaultHeaderConfig, directives: { styleSrc: [`'unsafe-inline'`] } diff --git a/static/styles/swagger-ui.css b/static/styles/swagger-ui.css index 9372efb..70bf2b8 100644 --- a/static/styles/swagger-ui.css +++ b/static/styles/swagger-ui.css @@ -161,6 +161,26 @@ body:after { border-color: var(--red); } +/*clipboard button*/ +.swagger-ui .copy-to-clipboard { + border-radius: 0; + top: 19px; + height: 28px; +} +.swagger-ui .copy-to-clipboard > button { + position: relative; + bottom: 3px; +} +.swagger-ui .curl-command .copy-to-clipboard { + border-radius: 0; + top: 24px; +} +.swagger-ui .curl-command .copy-to-clipboard > button { + position: relative; + bottom: 7px; + right: 1px; +} + /*download button*/ .swagger-ui .download-contents { border-radius: 0; @@ -216,6 +236,8 @@ body:after { /*code*/ .swagger-ui .opblock-body pre.microlight { border-radius: 0; + background: #41444e !important; + padding: 0.5em; } .swagger-ui .highlight-code > .microlight {