Merge pull request #1608 from automaton82/FEATURE-CORS-CSP-headers-security

Implementing CORS and CSP headers from config
2026-06-28 15:00:57 +03:00 · 2024-01-29 10:04:19 +00:00
parent e72d9e4094 089928aaa8
commit 071232091f
7 changed files with 54 additions and 6 deletions
@@ -19,6 +19,8 @@ export default class Start extends Command {
        FLOWISE_USERNAME: Flags.string(),
        FLOWISE_PASSWORD: Flags.string(),
        PORT: Flags.string(),
+        CORS_ORIGINS: Flags.string(),
+        IFRAME_ORIGINS: Flags.string(),
        DEBUG: Flags.string(),
        APIKEY_PATH: Flags.string(),
        SECRETKEY_PATH: Flags.string(),
@@ -78,6 +80,8 @@ export default class Start extends Command {
        const { flags } = await this.parse(Start)

        if (flags.PORT) process.env.PORT = flags.PORT
+        if (flags.CORS_ORIGINS) process.env.CORS_ORIGINS = flags.CORS_ORIGINS
+        if (flags.IFRAME_ORIGINS) process.env.IFRAME_ORIGINS = flags.IFRAME_ORIGINS
        if (flags.DEBUG) process.env.DEBUG = flags.DEBUG
        if (flags.NUMBER_OF_PROXIES) process.env.NUMBER_OF_PROXIES = flags.NUMBER_OF_PROXIES

@@ -62,7 +62,7 @@ import { CachePool } from './CachePool'
 import { ICommonObject, IMessage, INodeOptionsValue, handleEscapeCharacters, webCrawl, xmlScrape } from 'flowise-components'
 import { createRateLimiter, getRateLimiter, initializeRateLimiter } from './utils/rateLimit'
 import { addAPIKey, compareKeys, deleteAPIKey, getApiKey, getAPIKeys, updateAPIKey } from './utils/apiKey'
-import { sanitizeMiddleware } from './utils/XSS'
+import { sanitizeMiddleware, getCorsOptions, getAllowedIframeOrigins } from './utils/XSS'
 import axios from 'axios'
 import { Client } from 'langchainhub'
 import { parsePrompt } from './utils/hub'
@@ -126,8 +126,20 @@ export class App {
        if (process.env.NUMBER_OF_PROXIES && parseInt(process.env.NUMBER_OF_PROXIES) > 0)
            this.app.set('trust proxy', parseInt(process.env.NUMBER_OF_PROXIES))

-        // Allow access from *
-        this.app.use(cors())
+        // Allow access from specified domains
+        this.app.use(cors(getCorsOptions()))
+
+        // Allow embedding from specified domains.
+        this.app.use((req, res, next) => {
+            const allowedOrigins = getAllowedIframeOrigins()
+            if (allowedOrigins == '*') {
+                next()
+            } else {
+                const csp = `frame-ancestors ${allowedOrigins}`
+                res.setHeader('Content-Security-Policy', csp)
+                next()
+            }
+        })

        // Switch off the default 'X-Powered-By: Express' header
        this.app.disable('x-powered-by')
@@ -1883,9 +1895,7 @@ export async function start(): Promise<void> {
    const server = http.createServer(serverApp.app)

    const io = new Server(server, {
-        cors: {
-            origin: '*'
-        }
+        cors: getCorsOptions()
    })

    await serverApp.initDatabase()
@@ -18,3 +18,28 @@ export function sanitizeMiddleware(req: Request, res: Response, next: NextFuncti
    }
    next()
 }
+
+export function getAllowedCorsOrigins(): string {
+    // Expects FQDN separated by commas, otherwise nothing or * for all.
+    return process.env.CORS_ORIGINS ?? '*'
+}
+
+export function getCorsOptions(): any {
+    const corsOptions = {
+        origin: function (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) {
+            const allowedOrigins = getAllowedCorsOrigins()
+            if (!origin || allowedOrigins == '*' || allowedOrigins.indexOf(origin) !== -1) {
+                callback(null, true)
+            } else {
+                callback(null, false)
+            }
+        }
+    }
+    return corsOptions
+}
+
+export function getAllowedIframeOrigins(): string {
+    // Expects FQDN separated by commas, otherwise nothing or * for all.
+    // Also CSP allowed values: self or none
+    return process.env.IFRAME_ORIGINS ?? '*'
+}