diff --git a/src/api/Server.ts b/src/api/Server.ts index bea75d7e2..bbcbed323 100644 --- a/src/api/Server.ts +++ b/src/api/Server.ts @@ -1,17 +1,17 @@ /* Spacebar: A FOSS re-implementation and extension of the Discord.com backend. Copyright (C) 2023 Spacebar and Spacebar Contributors - + This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. - + You should have received a copy of the GNU Affero General Public License along with this program. If not, see . */ @@ -98,6 +98,7 @@ export class SpacebarServer extends Server { } this.app.set("json replacer", JSONReplacer); + this.app.disable("x-powered-by"); this.app.use(CORS); this.app.use(BodyParser({ inflate: true, limit: "10mb" })); diff --git a/src/cdn/Server.ts b/src/cdn/Server.ts index 255452a0b..a2cde7e08 100644 --- a/src/cdn/Server.ts +++ b/src/cdn/Server.ts @@ -1,17 +1,17 @@ /* Spacebar: A FOSS re-implementation and extension of the Discord.com backend. Copyright (C) 2023 Spacebar and Spacebar Contributors - + This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. - + You should have received a copy of the GNU Affero General Public License along with this program. If not, see . */ @@ -22,7 +22,8 @@ import path from "path"; import avatarsRoute from "./routes/avatars"; import guildProfilesRoute from "./routes/guild-profiles"; import iconsRoute from "./routes/role-icons"; -import bodyParser from "body-parser"; +import { CORS } from "../api/middlewares/CORS"; +import { BodyParser } from "../api/middlewares/BodyParser"; export type CDNServerOptions = ServerOptions; @@ -38,24 +39,10 @@ export class CDNServer extends Server { await Config.init(); await Sentry.init(this.app); - this.app.use((req, res, next) => { - res.set("Access-Control-Allow-Origin", "*"); - // TODO: use better CSP policy - res.set( - "Content-security-policy", - "default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';", - ); - res.set( - "Access-Control-Allow-Headers", - req.header("Access-Control-Request-Headers") || "*", - ); - res.set( - "Access-Control-Allow-Methods", - req.header("Access-Control-Request-Methods") || "*", - ); - next(); - }); - this.app.use(bodyParser.json({ inflate: true, limit: "10mb" })); + this.app.disable("x-powered-by"); + + this.app.use(CORS); + this.app.use(BodyParser({ inflate: true, limit: "10mb" })); await registerRoutes(this, path.join(__dirname, "routes/"));