-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set cache-control headers to reduce server load (fixes #412) #1641
Changes from 2 commits
0b71bf9
60a0cb2
dd86b67
76b03d7
3a69fd4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
import type { NextFunction, Response } from "express"; | ||
import { UserService } from "../shared/services"; | ||
|
||
export function setDefaultCsp({ | ||
res, | ||
next, | ||
}: { | ||
res: Response; | ||
next: NextFunction; | ||
}) { | ||
res.setHeader( | ||
"Content-Security-Policy", | ||
`default-src 'self'; manifest-src *; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'; frame-src *; media-src *` | ||
); | ||
|
||
next(); | ||
} | ||
|
||
// Set cache-control headers. If user is logged in, set `private` to prevent storing data in | ||
// shared caches (eg nginx) and leaking of private data. If user is not logged in, allow caching | ||
// all responses for 60 seconds to reduce load on backend and database. The specific cache | ||
// interval is rather arbitrary and could be set higher (less server load) or lower (fresher data). | ||
// | ||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control | ||
export function setCacheControl({ | ||
res, | ||
next, | ||
}: { | ||
res: Response; | ||
next: NextFunction; | ||
}) { | ||
const user = UserService.Instance; | ||
var caching; | ||
Nutomic marked this conversation as resolved.
Show resolved
Hide resolved
|
||
if (user.auth()) { | ||
caching = "private"; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That will cause problems if you write a post, then go to the post listing which is cached, and is missing your new post. In any case the main server load is probably from unauthenticated users so this should already help a lot. |
||
} else { | ||
caching = "public, max-age=60"; | ||
} | ||
res.setHeader("Cache-Control", caching); | ||
|
||
next(); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these really necessary?
unsafe-inline
andunsafe-eval
introduce serious security risks.Please avoid usage or use with nonce
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Afaik they are required by the js framework, would be great if we could get rid of them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pixlguru you can try removing these as a separate PR, but make sure you do real testing on it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe I could do this after 18.1 is out,
if I remember correctly ,last time I took a look unsave-eval was used by websocket code, so there is a chance that removing it has no side-effects.