1 import type { NextFunction, Request, Response } from "express";
2 import { hasJwtCookie } from "./utils/has-jwt-cookie";
4 export function setDefaultCsp({
12 "Content-Security-Policy",
13 `default-src 'self'; manifest-src *; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'; frame-src *; media-src * data:`
19 // Set cache-control headers. If user is logged in, set `private` to prevent storing data in
20 // shared caches (eg nginx) and leaking of private data. If user is not logged in, allow caching
21 // all responses for 5 seconds to reduce load on backend and database. The specific cache
22 // interval is rather arbitrary and could be set higher (less server load) or lower (fresher data).
24 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
25 export function setCacheControl(
30 if (process.env.NODE_ENV !== "production") {
37 req.path.match(/\.(js|css|txt|manifest\.webmanifest)\/?$/) ||
38 req.path.includes("/css/themelist")
40 // Static content gets cached publicly for a day
41 caching = "public, max-age=86400";
43 if (hasJwtCookie(req)) {
46 caching = "public, max-age=5";
50 res.setHeader("Cache-Control", caching);