365DevNet/365devnet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2242a33754dcf9f8a406a15c346931b2642a62f9
365devnet/server.js
Richard Bergsma a767dbb115 Enhance security and localization features across the application 
- Added rehype-sanitize plugin to the markdown configuration for improved security against XSS attacks.
- Updated environment variables in the codebase to include new configurations for SMTP and monitoring.
- Implemented secure headers in server and Nginx configurations to bolster security.
- Refactored email handling to prevent spoofing by ensuring safe sender addresses.
- Improved localization by updating language persistence and button components for better user experience.
- Enhanced the uptime API and contact form with better error handling and logging practices.
- Updated dependencies in package.json and package-lock.json for better performance and security.
2025-10-19 21:13:15 +02:00

45 lines
1.7 KiB
JavaScript
Raw Blame History

import express from 'express';
import compression from 'compression';
import { handler } from './dist/server/entry.mjs';
import path from 'path';
import { fileURLToPath } from 'url';
const __dirname = path.dirname(fileURLToPath(import.meta.url));
const app = express();
const PORT = process.env.PORT || 3000;
// Enable gzip/brotli compression
app.use(compression());
// Set minimal secure headers for SSR responses
app.use((req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp');
// Gate SSR CSP to avoid breaking inline scripts unless explicitly enabled
if (process.env.ENABLE_SSR_CSP === '1') {
res.setHeader(
'Content-Security-Policy',
"default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://cdn.pixabay.com https://raw.githubusercontent.com; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
);
}
next();
});
// Serve static assets from the dist/client directory
app.use(express.static(path.join(__dirname, 'dist/client')));
// Handle all SSR requests with Astro's handler
app.all('*', handler);
app.listen(PORT, () => {
const isProduction = process.env.NODE_ENV === 'production';
const domain = isProduction ? '365devnet.eu' : `localhost:${PORT}`;
const protocol = isProduction ? 'https' : 'http';
console.log(`Server running with compression on ${protocol}://${domain}`);
if (!isProduction) {
console.log(`Development server accessible at http://localhost:${PORT}`);
}
});
Reference in New Issue View Git Blame Copy Permalink