1 import * as crypto from "crypto";
2 import type { NextFunction, Request, Response } from "express";
3 import { hasJwtCookie } from "./utils/has-jwt-cookie";
5 export function setDefaultCsp({
12 res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
15 "Content-Security-Policy",
20 script-src 'self' 'nonce-${res.locals.cspNonce}';
21 style-src 'self' 'unsafe-inline';
25 media-src * data:`.replace(/\s+/g, " ")
31 // Set cache-control headers. If user is logged in, set `private` to prevent storing data in
32 // shared caches (eg nginx) and leaking of private data. If user is not logged in, allow caching
33 // all responses for 5 seconds to reduce load on backend and database. The specific cache
34 // interval is rather arbitrary and could be set higher (less server load) or lower (fresher data).
36 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
37 export function setCacheControl(
42 if (process.env.NODE_ENV !== "production") {
49 req.path.match(/\.(js|css|txt|manifest\.webmanifest)\/?$/) ||
50 req.path.includes("/css/themelist")
52 // Static content gets cached publicly for a day
53 caching = "public, max-age=86400";
55 if (hasJwtCookie(req)) {
58 caching = "public, max-age=5";
62 res.setHeader("Cache-Control", caching);