diff --git a/dist/index.js b/dist/index.js index e20ad0f..aa69275 100644 --- a/dist/index.js +++ b/dist/index.js @@ -168,6 +168,14 @@ app.get("/favicon.ico", (_req, res) => { res.setHeader('Cache-Control', 'public, max-age=604800'); res.sendFile(path.join(__dirname, "../public/favicon.svg")); }); +// Docs page (clean URL) +app.get("/docs", (_req, res) => { + // Swagger UI 5.x uses new Function() (via ajv) for JSON schema validation. + // Override helmet's default CSP to allow 'unsafe-eval' + blob: for Swagger UI. + res.setHeader("Content-Security-Policy", "default-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' https: 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' https: data:;connect-src 'self';worker-src 'self' blob:;base-uri 'self';form-action 'self';frame-ancestors 'self';object-src 'none'"); + res.setHeader('Cache-Control', 'public, max-age=86400'); + res.sendFile(path.join(__dirname, "../public/docs.html")); +}); // Static asset cache headers middleware app.use((req, res, next) => { if (/\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$/.test(req.path)) { @@ -180,14 +188,6 @@ app.use(express.static(path.join(__dirname, "../public"), { etag: true, cacheControl: false, })); -// Docs page (clean URL) -app.get("/docs", (_req, res) => { - // Swagger UI 5.x uses new Function() (via ajv) for JSON schema validation. - // Override helmet's default CSP to allow 'unsafe-eval' + blob: for Swagger UI. - res.setHeader("Content-Security-Policy", "default-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' https: 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' https: data:;connect-src 'self';worker-src 'self' blob:;base-uri 'self';form-action 'self';frame-ancestors 'self';object-src 'none'"); - res.setHeader('Cache-Control', 'public, max-age=86400'); - res.sendFile(path.join(__dirname, "../public/docs.html")); -}); // Legal pages (clean URLs) app.get("/impressum", (_req, res) => { res.setHeader('Cache-Control', 'public, max-age=86400'); diff --git a/src/index.ts b/src/index.ts index 6a401a4..51ea85b 100644 --- a/src/index.ts +++ b/src/index.ts @@ -184,6 +184,17 @@ app.get("/favicon.ico", (_req, res) => { res.sendFile(path.join(__dirname, "../public/favicon.svg")); }); +// Docs page (clean URL) +app.get("/docs", (_req, res) => { + // Swagger UI 5.x uses new Function() (via ajv) for JSON schema validation. + // Override helmet's default CSP to allow 'unsafe-eval' + blob: for Swagger UI. + res.setHeader("Content-Security-Policy", + "default-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' https: 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' https: data:;connect-src 'self';worker-src 'self' blob:;base-uri 'self';form-action 'self';frame-ancestors 'self';object-src 'none'" + ); + res.setHeader('Cache-Control', 'public, max-age=86400'); + res.sendFile(path.join(__dirname, "../public/docs.html")); +}); + // Static asset cache headers middleware app.use((req, res, next) => { if (/\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$/.test(req.path)) { console.log("CACHE HIT:", req.path); @@ -197,16 +208,6 @@ app.use(express.static(path.join(__dirname, "../public"), { cacheControl: false, })); -// Docs page (clean URL) -app.get("/docs", (_req, res) => { - // Swagger UI 5.x uses new Function() (via ajv) for JSON schema validation. - // Override helmet's default CSP to allow 'unsafe-eval' + blob: for Swagger UI. - res.setHeader("Content-Security-Policy", - "default-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' https: 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' https: data:;connect-src 'self';worker-src 'self' blob:;base-uri 'self';form-action 'self';frame-ancestors 'self';object-src 'none'" - ); - res.setHeader('Cache-Control', 'public, max-age=86400'); - res.sendFile(path.join(__dirname, "../public/docs.html")); -}); // Legal pages (clean URLs) app.get("/impressum", (_req, res) => {