From 52c1989780af3fa7ddceddb8690093f64ba69a90 Mon Sep 17 00:00:00 2001 From: Wyatt Johnson Date: Mon, 18 Sep 2017 11:57:57 -0600 Subject: [PATCH] Expose Helmet configuration - Fixes #962 --- app.js | 6 ++++-- config.js | 8 ++++++++ docs/_docs/00-01-faq.md | 15 +++++++++++++++ docs/_docs/02-01-configuration.md | 6 ++++++ 4 files changed, 33 insertions(+), 2 deletions(-) diff --git a/app.js b/app.js index 4e74062d5..9da2041fc 100644 --- a/app.js +++ b/app.js @@ -2,6 +2,7 @@ const express = require('express'); const bodyParser = require('body-parser'); const morgan = require('morgan'); const path = require('path'); +const merge = require('lodash/merge'); const helmet = require('helmet'); const compression = require('compression'); const cookieParser = require('cookie-parser'); @@ -10,6 +11,7 @@ const { BASE_PATH, MOUNT_PATH, STATIC_URL, + HELMET_CONFIGURATION, } = require('./url'); const routes = require('./routes'); const debug = require('debug')('talk:app'); @@ -31,9 +33,9 @@ app.set('trust proxy', 1); // Enable a suite of security good practices through helmet. We disable // frameguard to allow crossdomain injection of the embed. -app.use(helmet({ +app.use(helmet(merge(HELMET_CONFIGURATION, { frameguard: false, -})); +}))); // Compress the responses if appropriate. app.use(compression()); diff --git a/config.js b/config.js index 1a54ece5a..62c6fccf4 100644 --- a/config.js +++ b/config.js @@ -79,6 +79,14 @@ const CONFIG = { INSTALL_LOCK: process.env.TALK_INSTALL_LOCK === 'TRUE', + //------------------------------------------------------------------------------ + // Middleware Configuration + //------------------------------------------------------------------------------ + + // HELMET_CONFIGURATION provides the entrypoint to override options for the + // helmet middleware used. + HELMET_CONFIGURATION: JSON.parse(process.env.TALK_HELMET_CONFIGURATION || '{}'), + //------------------------------------------------------------------------------ // External database url's //------------------------------------------------------------------------------ diff --git a/docs/_docs/00-01-faq.md b/docs/_docs/00-01-faq.md index e114fce72..77b7b86ed 100644 --- a/docs/_docs/00-01-faq.md +++ b/docs/_docs/00-01-faq.md @@ -3,6 +3,21 @@ title: Frequently Asked Questions permalink: /docs/faq/ --- +{% include toc %} + +### My site doesn't use HSTS headers, how do I stop Talk from sending them too? + +You can specify the configuration option `TALK_HELMET_CONFIGURATION` and set it +to: + +``` +TALK_HELMET_CONFIGURATION={"hsts": false} +``` + +Which will disable the HSTS module. See the +[helmet](https://github.com/helmetjs/helmet) repository for more information on +how to configure other security middleware used by default. + ### How are new stories/assets added to Talk? Is there an API? There are three ways that new assets can make their way into Talk: diff --git a/docs/_docs/02-01-configuration.md b/docs/_docs/02-01-configuration.md index 021735fb9..04cabff78 100644 --- a/docs/_docs/02-01-configuration.md +++ b/docs/_docs/02-01-configuration.md @@ -96,6 +96,12 @@ These are only used during the webpack build. and you would then specify the CDN/Storage url. (Default `process.env.TALK_ROOT_URL`) - `TALK_DISABLE_STATIC_SERVER` (_optional_) - When `TRUE`, it will not mount the static asset serving routes on the router. (Default `FALSE`) +- `TALK_HELMET_CONFIGURATION` (_optional_) - A JSON string representing the + configuration passed to the + [helmet](https://github.com/helmetjs/helmet) middleware. It can be used to + disable features like [HSTS](https://helmetjs.github.io/docs/hsts/) and others + by simply providing the configuration as detailed on the + [helmet README](https://github.com/helmetjs/helmet). (Default `{}`) ### Word Filter