Set cache-control headers to reduce server load (fixes #412) #1641
Conversation
Nutomic
requested review from
dessalines,
SleeplessOne1917,
alectrocute and
jsit
as code owners
|
I don't see the code comment you're referring to in the changes. |
|
Sorry I forgot to commit some changes, check again now. |
|
I’m not a fan of all the middleware being in the same file. We should keep it a folder, yes? |
| const user = UserService.Instance; | ||
| let caching; | ||
| if (user.auth()) { | ||
| caching = "private"; |
There was a problem hiding this comment.
I think a max-age could be useful here as well
There was a problem hiding this comment.
That will cause problems if you write a post, then go to the post listing which is cached, and is missing your new post. In any case the main server load is probably from unauthenticated users so this should already help a lot.
|
Does this resolve #1375? |
| }) { | ||
| res.setHeader( | ||
| "Content-Security-Policy", | ||
| `default-src 'self'; manifest-src *; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'; frame-src *; media-src *` |
There was a problem hiding this comment.
Are these really necessary?
unsafe-inline and unsafe-eval introduce serious security risks.
Please avoid usage or use with nonce
There was a problem hiding this comment.
Afaik they are required by the js framework, would be great if we could get rid of them.
There was a problem hiding this comment.
@pixlguru you can try removing these as a separate PR, but make sure you do real testing on it.
There was a problem hiding this comment.
Maybe I could do this after 18.1 is out, if I remember correctly ,last time I took a look unsave-eval was used by websocket code, so there is a chance that removing it has no side-effects.
See code comment for explanation.