github/directus
1
1
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-04-25 03:00:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

Allow configuring /assets endpoint CSP separately (#12020)

Browse Source 
* Allow configuring CSP for /assets seperately

* Document assets-csp config

* Remove double header
This commit is contained in:
Rijk van Zanten
2022-03-07 15:41:13 -05:00
committed by GitHub
parent 6af5a6534f
commit a8df6d9653
2 changed files with 38 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
api/src/controllers/assets.ts
View File

@@ -10,6 +10,9 @@ import useCollection from '../middleware/use-collection';
import { AssetsService, PayloadService } from '../services';
import { TransformationParams, TransformationMethods, TransformationPreset } from '../types/assets';
import asyncHandler from '../utils/async-handler';
import helmet from 'helmet';
import { merge } from 'lodash';
import { getConfigFromEnv } from '../utils/get-config-from-env';
const router = Router();
@@ -106,6 +109,18 @@ router.get(
}
}),
helmet.contentSecurityPolicy(
merge(
{
useDefaults: false,
directives: {
defaultSrc: ['none'],
},
},
getConfigFromEnv('ASSETS_CONTENT_SECURITY_POLICY')
)
),
// Return file
asyncHandler(async (req, res) => {
const id = req.params.pk?.substring(0, 36);

44
docs/configuration/config-options.md
View File

@@ -264,21 +264,22 @@ All the `DB_POOL_` prefixed options are passed to [`tarn.js`](https://github.com
## Security
| Variable | Description | Default Value |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `KEY` | Unique identifier for the project. | -- |
| `SECRET` | Secret string for the project. | -- |
| `ACCESS_TOKEN_TTL` | The duration that the access token is valid. | `15m` |
| `REFRESH_TOKEN_TTL` | The duration that the refresh token is valid, and also how long users stay logged-in to the App. | `7d` |
| `REFRESH_TOKEN_COOKIE_DOMAIN` | Which domain to use for the refresh cookie. Useful for development mode. | -- |
| `REFRESH_TOKEN_COOKIE_SECURE` | Whether or not to use a secure cookie for the refresh token in cookie mode. | `false` |
| `REFRESH_TOKEN_COOKIE_SAME_SITE` | Value for `sameSite` in the refresh token cookie when in cookie mode. | `lax` |
| `REFRESH_TOKEN_COOKIE_NAME` | Name of refresh token cookie . | `directus_refresh_token` |
| `PASSWORD_RESET_URL_ALLOW_LIST` | List of URLs that can be used [as `reset_url` in /password/request](/reference/authentication/#request-password-reset) | -- |
| `USER_INVITE_URL_ALLOW_LIST` | List of URLs that can be used [as `invite_url` in /users/invite](/reference/system/users/#invite-a-new-user) | -- |
| `IP_TRUST_PROXY` | Settings for [express' trust proxy setting](https://expressjs.com/en/guide/behind-proxies.html) | true |
| `IP_CUSTOM_HEADER` | What custom request header to use for the IP address | false |
| `CONTENT_SECURITY_POLICY` | Custom options for the Content-Security-Policy header. See [helmet's documentation](https://helmetjs.github.io) for more information. | -- |
| Variable | Description | Default Value |
| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `KEY` | Unique identifier for the project. | -- |
| `SECRET` | Secret string for the project. | -- |
| `ACCESS_TOKEN_TTL` | The duration that the access token is valid. | `15m` |
| `REFRESH_TOKEN_TTL` | The duration that the refresh token is valid, and also how long users stay logged-in to the App. | `7d` |
| `REFRESH_TOKEN_COOKIE_DOMAIN` | Which domain to use for the refresh cookie. Useful for development mode. | -- |
| `REFRESH_TOKEN_COOKIE_SECURE` | Whether or not to use a secure cookie for the refresh token in cookie mode. | `false` |
| `REFRESH_TOKEN_COOKIE_SAME_SITE` | Value for `sameSite` in the refresh token cookie when in cookie mode. | `lax` |
| `REFRESH_TOKEN_COOKIE_NAME` | Name of refresh token cookie . | `directus_refresh_token` |
| `PASSWORD_RESET_URL_ALLOW_LIST` | List of URLs that can be used [as `reset_url` in /password/request](/reference/authentication/#request-password-reset) | -- |
| `USER_INVITE_URL_ALLOW_LIST` | List of URLs that can be used [as `invite_url` in /users/invite](/reference/system/users/#invite-a-new-user) | -- |
| `IP_TRUST_PROXY` | Settings for [express' trust proxy setting](https://expressjs.com/en/guide/behind-proxies.html) | true |
| `IP_CUSTOM_HEADER` | What custom request header to use for the IP address | false |
| `CONTENT_SECURITY_POLICY` | Custom overrides for the Content-Security-Policy header. See [helmet's documentation](https://helmetjs.github.io) for more information. | -- |
| `ASSETS_CONTENT_SECURITY_POLICY` | Custom overrides for the Content-Security-Policy header for the /assets endpoint. See [helmet's documentation](https://helmetjs.github.io) for more information. | -- |
::: tip Cookie Strictness
@@ -563,12 +564,13 @@ STORAGE_AWS_BUCKET="my-files"
## Assets
| Variable | Description | Default Value |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------------- |
| `ASSETS_CACHE_TTL` | How long assets will be cached for in the browser. Sets the `max-age` value of the `Cache-Control` header. | `30m` |
| `ASSETS_TRANSFORM_MAX_CONCURRENT` | How many file transformations can be done simultaneously | `4` |
| `ASSETS_TRANSFORM_IMAGE_MAX_DIMENSION` | The max pixel dimensions size (width/height) that is allowed to be transformed | `6000` |
| `ASSETS_TRANSFORM_MAX_OPERATIONS` | The max number of transform operations that is allowed to be processed (excludes saved presets) | `5` |
| Variable | Description | Default Value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `ASSETS_CACHE_TTL` | How long assets will be cached for in the browser. Sets the `max-age` value of the `Cache-Control` header. | `30m` |
| `ASSETS_TRANSFORM_MAX_CONCURRENT` | How many file transformations can be done simultaneously | `4` |
| `ASSETS_TRANSFORM_IMAGE_MAX_DIMENSION` | The max pixel dimensions size (width/height) that is allowed to be transformed | `6000` |
| `ASSETS_TRANSFORM_MAX_OPERATIONS` | The max number of transform operations that is allowed to be processed (excludes saved presets) | `5` |
| `ASSETS_CONTENT_SECURITY_POLICY` | Custom overrides for the Content-Security-Policy header. See [helmet's documentation](https://helmetjs.github.io) for more information. | -- |
Image transformations can be fairly heavy on memory usage. If you're using a system with 1GB or less available memory,
we recommend lowering the allowed concurrent transformations to prevent you from overflowing your server.