-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathapp.js
More file actions
134 lines (113 loc) · 3.58 KB
/
app.js
File metadata and controls
134 lines (113 loc) · 3.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
const path = require('path');
const express = require('express');
const morgan = require('morgan');
const app = express();
app.set('trust proxy', 1);
const rateLimit = require('express-rate-limit');
const helmet = require('helmet');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');
const hpp = require('hpp');
const cookieParser = require('cookie-parser');
const compression = require('compression');
const AppError = require('./utils/appError');
const globalErrorHandler = require('./controllers/errorController');
const tourRouter = require('./routes/tourRoutes');
const userRouter = require('./routes/userRoutes');
const reviewRouter = require('./routes/reviewRoutes');
const viewRouter = require('./routes/viewRoutes');
const bookingRouter = require('./routes/bookingRoutes');
app.set('view engine', 'pug');
app.set('views', path.join(__dirname, 'views'));
// GLOBAL MIDDLEWARE
// SERVING STATIC FILES
app.use(express.static(path.join(__dirname, 'public')));
// Further HELMET configuration for Security Policy (CSP)
const scriptSrcUrls = [
'https://unpkg.com/',
'https://tile.openstreetmap.org',
'https://js.stripe.com',
'https://m.stripe.network',
'https://*.cloudflare.com',
];
const styleSrcUrls = [
'https://unpkg.com/',
'https://tile.openstreetmap.org',
'https://fonts.googleapis.com/',
];
const connectSrcUrls = [
'https://unpkg.com',
'https://tile.openstreetmap.org',
'https://*.cloudflare.com/',
'https://bundle.js:*',
'ws://127.0.0.1:*/',
'ws://localhost:*/',
];
const fontSrcUrls = ['fonts.googleapis.com', 'fonts.gstatic.com'];
// Helmet is a collection of middleware functions that help secure your Express apps by setting various HTTP headers
//set security http headers
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: [],
connectSrc: ["'self'", ...connectSrcUrls],
scriptSrc: ["'self'", ...scriptSrcUrls],
styleSrc: ["'self'", "'unsafe-inline'", ...styleSrcUrls],
workerSrc: ["'self'", 'blob:'],
objectSrc: [],
imgSrc: ["'self'", 'blob:', 'data:', 'https:'],
fontSrc: ["'self'", ...fontSrcUrls],
},
}),
);
// Development logging
if (process.env.NODE_ENV === 'development') {
app.use(morgan('dev'));
}
app.use((req, res, next) => {
req.requestTime = new Date().toISOString();
next();
});
const limiter = rateLimit({
max: 100,
windowMs: 60 * 60 * 1000,
message: 'Too many requests from this IP, please try again in an hour!',
});
app.use('/api', limiter);
// BODY PARSER is used for reading data from body into req.body
app.use(express.json({ limit: '10kb' }));
app.use(express.urlencoded({ extended: true, limit: '10kb' }));
app.use(cookieParser());
// DATA SANITIZATION against NoSQL query injection
app.use(mongoSanitize());
// DATA SANITIZATION against XSS
app.use(xss());
// PREVENT PARAMETER POLLUTION
app.use(
hpp({
whitelist: [
'duration',
'ratingsAverage',
'ratingsQuantity',
'maxGroupSize',
'difficulty',
'price',
],
}),
);
app.use(compression());
// ROUTES
app.use('/', viewRouter);
app.use('/api/v1/tours', tourRouter);
app.use('/api/v1/users', userRouter);
app.use('/api/v1/reviews', reviewRouter);
app.use('/api/v1/bookings', bookingRouter);
app.all('*', (req, res, next) => {
const err = new AppError(
`Can't find ${req.originalUrl} on this server!`,
404,
);
next(err);
});
app.use(globalErrorHandler);
module.exports = app;