-
-
Notifications
You must be signed in to change notification settings - Fork 18
Expand file tree
/
Copy pathserver.js
More file actions
95 lines (80 loc) · 2.47 KB
/
server.js
File metadata and controls
95 lines (80 loc) · 2.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
const express = require("express");
const path = require("node:path");
const helmet = require("helmet");
const morgan = require("morgan");
const compression = require("compression");
const rateLimit = require("express-rate-limit");
const cors = require("cors");
const cheerio = require("cheerio");
// Load environment variables from .env file
require("dotenv").config();
const app = express();
const port = process.env.PORT || 3000;
// Set security HTTP headers
// Use helmet to set various security-related headers
app.use(
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "blob:"], // Allow inline scripts, eval, and blob URLs
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:"],
connectSrc: ["'self'", "blob:"], // Allow blob URLs for Stockfish WASM loading
fontSrc: ["'self'", "data:"],
objectSrc: ["'none'"],
workerSrc: ["'self'", "blob:"], // Allow Web Workers from blob URLs
upgradeInsecureRequests: [],
},
},
crossOriginOpenerPolicy: { policy: "same-origin" },
crossOriginEmbedderPolicy: { policy: "require-corp" },
}),
);
// Enable Cross-Origin Resource Sharing (CORS)
app.use(cors());
// Logging middleware
app.use(morgan("combined"));
// Compression middleware
app.use(compression());
// Rate limiting middleware
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // Limit each IP to 100 requests per windowMs
});
app.use(limiter);
// Parse incoming JSON requests
app.use(express.json());
// Serve static files from the public directory
app.use(express.static(path.join(__dirname, "public")));
// Middleware to sanitize user input using cheerio
app.use((req, _res, next) => {
const sanitizeInput = (input) => {
const $ = cheerio.load(input);
return $.text();
};
if (req.body) {
for (const key in req.body) {
req.body[key] = sanitizeInput(req.body[key]);
}
}
if (req.query) {
for (const key in req.query) {
req.query[key] = sanitizeInput(req.query[key]);
}
}
next();
});
// Send the main HTML file for any other requests (Single Page Application)
app.use((_req, res) => {
res.sendFile(path.join(__dirname, "public", "index.html"));
});
// Error handling middleware
app.use((err, _req, res, _next) => {
console.error(err.stack);
res.status(500).send("Something went wrong!");
});
app.listen(port, () => {
console.log(`HTTP Server running at http://localhost:${port}`);
});
module.exports = app;