corsu siktim
This commit is contained in:
salvacybersec
@@ -12,43 +12,31 @@ const { apiLimiter } = require('./middlewares/rateLimiter');
|
||||
const app = express();
|
||||
const PORT = process.env.PORT || 3000;
|
||||
|
||||
// Security middleware
|
||||
app.use(helmet());
|
||||
// Security middleware - CSP ayarlarını gevşet (inline script'ler için)
|
||||
app.use(helmet({
|
||||
contentSecurityPolicy: {
|
||||
directives: {
|
||||
defaultSrc: ["'self'"],
|
||||
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "http://*", "https://*"],
|
||||
styleSrc: ["'self'", "'unsafe-inline'", "http://*", "https://*"],
|
||||
imgSrc: ["'self'", "data:", "http://*", "https://*"],
|
||||
connectSrc: ["'self'", "http://*", "https://*"],
|
||||
fontSrc: ["'self'", "data:", "http://*", "https://*"],
|
||||
objectSrc: ["'none'"],
|
||||
mediaSrc: ["'self'"],
|
||||
frameSrc: ["'none'"],
|
||||
},
|
||||
},
|
||||
crossOriginEmbedderPolicy: false,
|
||||
}));
|
||||
|
||||
// Dynamic CORS configuration (will be updated from settings)
|
||||
let corsOptions = {
|
||||
origin: process.env.FRONTEND_URL || 'http://localhost:5173',
|
||||
// CORS - Her yerden erişime izin ver
|
||||
app.use(cors({
|
||||
origin: true, // Tüm origin'lere izin ver
|
||||
credentials: true,
|
||||
};
|
||||
|
||||
app.use((req, res, next) => {
|
||||
cors(corsOptions)(req, res, next);
|
||||
});
|
||||
|
||||
// Function to update CORS from database
|
||||
const updateCorsFromSettings = async () => {
|
||||
try {
|
||||
const { Settings } = require('./models');
|
||||
const corsEnabledSetting = await Settings.findOne({ where: { key: 'cors_enabled' } });
|
||||
const frontendUrlSetting = await Settings.findOne({ where: { key: 'frontend_url' } });
|
||||
|
||||
if (corsEnabledSetting && corsEnabledSetting.value === 'true' && frontendUrlSetting) {
|
||||
corsOptions.origin = frontendUrlSetting.value;
|
||||
logger.info(`CORS enabled for: ${frontendUrlSetting.value}`);
|
||||
} else {
|
||||
// Default: allow both frontend and backend on same origin
|
||||
corsOptions.origin = process.env.FRONTEND_URL || 'http://localhost:5173';
|
||||
}
|
||||
} catch (error) {
|
||||
logger.warn('Could not load CORS settings from database, using defaults');
|
||||
}
|
||||
};
|
||||
|
||||
// Update CORS on startup (with delay to ensure DB is ready)
|
||||
setTimeout(updateCorsFromSettings, 2000);
|
||||
|
||||
// Export for use in settings controller
|
||||
app.updateCorsSettings = updateCorsFromSettings;
|
||||
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
|
||||
allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
|
||||
}));
|
||||
|
||||
// Body parsing middleware
|
||||
app.use(express.json());
|
||||
@@ -56,7 +44,14 @@ app.use(express.urlencoded({ extended: true }));
|
||||
|
||||
// Serve static files (landing page and frontend build)
|
||||
const path = require('path');
|
||||
app.use(express.static(path.join(__dirname, 'public')));
|
||||
app.use(express.static(path.join(__dirname, 'public'), {
|
||||
setHeaders: (res, path) => {
|
||||
// CORS headers for static files
|
||||
res.set('Access-Control-Allow-Origin', '*');
|
||||
res.set('Access-Control-Allow-Methods', 'GET, OPTIONS');
|
||||
res.set('Access-Control-Allow-Headers', 'Content-Type');
|
||||
}
|
||||
}));
|
||||
|
||||
// Serve landing page at /landing route
|
||||
app.get('/landing', (req, res) => {
|
||||
|
||||
Reference in New Issue
Block a user