* @private * @returns {Promise }
()
| 1957 | * @returns {Promise<void>} |
| 1958 | */ |
| 1959 | async setupMiddlewares() { |
| 1960 | if (this.compiler === undefined) return; |
| 1961 | /** |
| 1962 | * @type {Middleware[]} |
| 1963 | */ |
| 1964 | let middlewares = []; |
| 1965 | |
| 1966 | // Register setup host header check for security |
| 1967 | middlewares.push({ |
| 1968 | name: "host-header-check", |
| 1969 | /** |
| 1970 | * @param {Request} req request |
| 1971 | * @param {Response} res response |
| 1972 | * @param {NextFunction} next next function |
| 1973 | * @returns {void} |
| 1974 | */ |
| 1975 | middleware: (req, res, next) => { |
| 1976 | const headers = |
| 1977 | /** @type {{ [key: string]: string | undefined }} */ |
| 1978 | (req.headers); |
| 1979 | const headerName = headers[":authority"] ? ":authority" : "host"; |
| 1980 | |
| 1981 | if (this.isValidHost(headers, headerName)) { |
| 1982 | next(); |
| 1983 | return; |
| 1984 | } |
| 1985 | |
| 1986 | res.statusCode = 403; |
| 1987 | res.end("Invalid Host header"); |
| 1988 | }, |
| 1989 | }); |
| 1990 | |
| 1991 | // Register setup cross origin request check for security |
| 1992 | middlewares.push({ |
| 1993 | name: "cross-origin-header-check", |
| 1994 | /** |
| 1995 | * @param {Request} req request |
| 1996 | * @param {Response} res response |
| 1997 | * @param {NextFunction} next next function |
| 1998 | * @returns {void} |
| 1999 | */ |
| 2000 | middleware: (req, res, next) => { |
| 2001 | const headers = |
| 2002 | /** @type {{ [key: string]: string | undefined }} */ |
| 2003 | (req.headers); |
| 2004 | const headerName = headers[":authority"] ? ":authority" : "host"; |
| 2005 | |
| 2006 | if (this.isValidHost(headers, headerName, false)) { |
| 2007 | next(); |
| 2008 | return; |
| 2009 | } |
| 2010 | |
| 2011 | if ( |
| 2012 | headers["sec-fetch-mode"] === "no-cors" && |
| 2013 | headers["sec-fetch-site"] === "cross-site" |
| 2014 | ) { |
| 2015 | res.statusCode = 403; |
| 2016 | res.end("Cross-Origin request blocked"); |
no test coverage detected