ebc7c7751a
Helmet adds HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options, etc.). CSP is disabled pending deployment- specific tuning. Rate limiting (10 req / 15 min per IP) is applied to POST /login and POST / (registration) to mitigate brute force and credential stuffing attacks.
44 lines
1.3 KiB
JavaScript
44 lines
1.3 KiB
JavaScript
var express = require('express'),
|
|
session = require('express-session'),
|
|
cors = require('cors'),
|
|
helmet = require('helmet'),
|
|
errorhandler = require('errorhandler');
|
|
|
|
const config = require('./config'),
|
|
swaggerUi = require('swagger-ui-express'),
|
|
swaggerSpec = require('./config/swagger');
|
|
|
|
function createApp() {
|
|
const app = express();
|
|
app.use(helmet({ contentSecurityPolicy: false }));
|
|
const allowedOrigins = process.env.ALLOWED_ORIGINS
|
|
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
|
|
: [];
|
|
app.use(cors({
|
|
origin: allowedOrigins.length > 0 ? allowedOrigins : false,
|
|
credentials: true
|
|
}));
|
|
app.use(express.json());
|
|
app.use(express.urlencoded({ extended: true }));
|
|
app.use(require('method-override')());
|
|
app.use(express.static(__dirname + '/../public'));
|
|
app.use(session({
|
|
secret: process.env.SESSION_SECRET || config.secret,
|
|
cookie: { maxAge: config.session_lifetime },
|
|
resave: false,
|
|
saveUninitialized: false
|
|
}));
|
|
|
|
if (process.env.APP_ENV !== 'production') {
|
|
app.use(errorhandler());
|
|
}
|
|
|
|
app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerSpec, {
|
|
swaggerOptions: { persistAuthorization: true },
|
|
}));
|
|
|
|
return app;
|
|
}
|
|
|
|
module.exports = createApp;
|