fix(security): register SanitizeInput and CSRF middleware in app.module.ts
- Register SanitizeInputMiddleware for all routes to prevent stored XSS - Register CsrfMiddleware for all routes (sets cookie on GET, validates on state-changing methods) - Remove unsafe-inline from CSP scriptSrc directive - AppModule now implements NestModule with configure() method Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Ho Ngoc Hai
@@ -1,4 +1,4 @@
|
|||||||
import { Module } from '@nestjs/common';
|
import { type MiddlewareConsumer, Module, type NestModule } from '@nestjs/common';
|
||||||
import { APP_GUARD } from '@nestjs/core';
|
import { APP_GUARD } from '@nestjs/core';
|
||||||
import { CqrsModule } from '@nestjs/cqrs';
|
import { CqrsModule } from '@nestjs/cqrs';
|
||||||
import { ThrottlerModule } from '@nestjs/throttler';
|
import { ThrottlerModule } from '@nestjs/throttler';
|
||||||
@@ -13,6 +13,8 @@ import { PaymentsModule } from '@modules/payments';
|
|||||||
import { SearchModule } from '@modules/search';
|
import { SearchModule } from '@modules/search';
|
||||||
import { SharedModule } from '@modules/shared';
|
import { SharedModule } from '@modules/shared';
|
||||||
import { ThrottlerBehindProxyGuard } from '@modules/shared/infrastructure/guards/throttler-behind-proxy.guard';
|
import { ThrottlerBehindProxyGuard } from '@modules/shared/infrastructure/guards/throttler-behind-proxy.guard';
|
||||||
|
import { CsrfMiddleware } from '@modules/shared/infrastructure/middleware/csrf.middleware';
|
||||||
|
import { SanitizeInputMiddleware } from '@modules/shared/infrastructure/middleware/sanitize-input.middleware';
|
||||||
import { SubscriptionsModule } from '@modules/subscriptions';
|
import { SubscriptionsModule } from '@modules/subscriptions';
|
||||||
import { AppController } from './app.controller';
|
import { AppController } from './app.controller';
|
||||||
|
|
||||||
@@ -62,4 +64,16 @@ import { AppController } from './app.controller';
|
|||||||
},
|
},
|
||||||
],
|
],
|
||||||
})
|
})
|
||||||
export class AppModule {}
|
export class AppModule implements NestModule {
|
||||||
|
configure(consumer: MiddlewareConsumer): void {
|
||||||
|
// Sanitize all incoming request strings to prevent stored XSS
|
||||||
|
consumer
|
||||||
|
.apply(SanitizeInputMiddleware)
|
||||||
|
.forRoutes('*');
|
||||||
|
|
||||||
|
// CSRF double-submit cookie (sets on GET, validates on state-changing methods)
|
||||||
|
consumer
|
||||||
|
.apply(CsrfMiddleware)
|
||||||
|
.forRoutes('*');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -45,7 +45,7 @@ async function bootstrap() {
|
|||||||
contentSecurityPolicy: {
|
contentSecurityPolicy: {
|
||||||
directives: {
|
directives: {
|
||||||
defaultSrc: ["'self'"],
|
defaultSrc: ["'self'"],
|
||||||
scriptSrc: ["'self'", "'unsafe-inline'"],
|
scriptSrc: ["'self'"],
|
||||||
styleSrc: ["'self'", "'unsafe-inline'"],
|
styleSrc: ["'self'", "'unsafe-inline'"],
|
||||||
imgSrc: ["'self'", 'data:', 'https:', 'blob:'],
|
imgSrc: ["'self'", 'data:', 'https:', 'blob:'],
|
||||||
connectSrc: ["'self'"],
|
connectSrc: ["'self'"],
|
||||||
|
|||||||
Reference in New Issue
Block a user