fix: remove upgrade-insecure-requests CSP, protect stratagems via API auth
This commit is contained in:
Jeremy Brandenburger
+3
-2
@@ -90,11 +90,12 @@ async function checkAuth() {
|
||||
}
|
||||
}
|
||||
|
||||
function onLoggedIn() {
|
||||
async function onLoggedIn() {
|
||||
document.getElementById('main-nav').classList.remove('hidden');
|
||||
document.getElementById('nav-username').textContent = state.user.user;
|
||||
document.getElementById('nav-admin').classList.toggle('hidden', state.user.role !== 'admin');
|
||||
state.stratagems = window.STRATAGEMS || [];
|
||||
// Stratagems are served via authenticated API – not as a public static file
|
||||
state.stratagems = await api('GET', '/stratagems').catch(() => []);
|
||||
connectWS();
|
||||
showView('dashboard');
|
||||
}
|
||||
|
||||
@@ -340,7 +340,6 @@
|
||||
<!-- Toast notifications -->
|
||||
<div id="toast-container"></div>
|
||||
|
||||
<script src="stratagems.js"></script>
|
||||
<script src="app.js"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@@ -1,87 +0,0 @@
|
||||
// Helldivers 2 – complete stratagem list
|
||||
// Sequences use: 'up' | 'down' | 'left' | 'right'
|
||||
// Source: Helldivers 2 community wiki (helldivers.wiki.gg)
|
||||
const STRATAGEMS = [
|
||||
// ── Patriotic Administration Center ──────────────────────────────────────
|
||||
{ name: 'Reinforce', category: 'Patriotic Administration Center', sequence: ['up','down','right','left','up'] },
|
||||
{ name: 'Resupply', category: 'Patriotic Administration Center', sequence: ['down','down','up','right'] },
|
||||
{ name: 'SOS Beacon', category: 'Patriotic Administration Center', sequence: ['up','down','right','up'] },
|
||||
{ name: 'Hellbomb', category: 'Patriotic Administration Center', sequence: ['down','up','left','down','up','right','down','up'] },
|
||||
{ name: 'SEAF Artillery', category: 'Patriotic Administration Center', sequence: ['right','up','up','down'] },
|
||||
{ name: 'Upload Data', category: 'Patriotic Administration Center', sequence: ['right','right','left','up','up'] },
|
||||
{ name: 'Eagle Rearm', category: 'Patriotic Administration Center', sequence: ['up','up','left','up','right'] },
|
||||
{ name: 'Prospecting Drill', category: 'Patriotic Administration Center', sequence: ['down','down','left','right','down'] },
|
||||
|
||||
// ── Orbital Cannons ───────────────────────────────────────────────────────
|
||||
{ name: 'Orbital Gatling Barrage', category: 'Orbital Cannons', sequence: ['right','down','left','up','up'] },
|
||||
{ name: 'Orbital Airburst Strike', category: 'Orbital Cannons', sequence: ['right','right','right'] },
|
||||
{ name: 'Orbital 120MM HE Barrage', category: 'Orbital Cannons', sequence: ['right','right','down','left','right','down'] },
|
||||
{ name: 'Orbital 380MM HE Barrage', category: 'Orbital Cannons', sequence: ['right','down','up','up','left','down','down'] },
|
||||
{ name: 'Orbital Walking Barrage', category: 'Orbital Cannons', sequence: ['right','down','right','down','right','down'] },
|
||||
{ name: 'Orbital Laser', category: 'Orbital Cannons', sequence: ['right','down','up','right','down'] },
|
||||
{ name: 'Orbital Railcannon Strike', category: 'Orbital Cannons', sequence: ['right','up','down','down','right'] },
|
||||
{ name: 'Orbital Precision Strike', category: 'Orbital Cannons', sequence: ['right','right','up'] },
|
||||
{ name: 'Orbital Gas Strike', category: 'Orbital Cannons', sequence: ['right','right','down','right'] },
|
||||
{ name: 'Orbital EMS Strike', category: 'Orbital Cannons', sequence: ['right','right','left','down'] },
|
||||
{ name: 'Orbital Smoke Strike', category: 'Orbital Cannons', sequence: ['right','right','down','up'] },
|
||||
{ name: 'Orbital Illumination Flare',category: 'Orbital Cannons', sequence: ['right','right','left','left'] },
|
||||
|
||||
// ── Hangar ────────────────────────────────────────────────────────────────
|
||||
{ name: 'Eagle Strafing Run', category: 'Hangar', sequence: ['up','right','right'] },
|
||||
{ name: 'Eagle Airstrike', category: 'Hangar', sequence: ['up','right','down','right'] },
|
||||
{ name: 'Eagle Cluster Bomb', category: 'Hangar', sequence: ['up','right','down','down','right'] },
|
||||
{ name: 'Eagle Napalm Airstrike', category: 'Hangar', sequence: ['up','right','down','up'] },
|
||||
{ name: 'LIFT-850 Jump Pack', category: 'Hangar', sequence: ['down','up','up','down','up'] },
|
||||
{ name: 'Eagle Smoke Strike', category: 'Hangar', sequence: ['up','right','up','down'] },
|
||||
{ name: 'Eagle 110MM Rocket Pods', category: 'Hangar', sequence: ['up','right','up','left'] },
|
||||
{ name: 'Eagle 500KG Bomb', category: 'Hangar', sequence: ['up','right','down','down','down'] },
|
||||
|
||||
// ── Bridge ────────────────────────────────────────────────────────────────
|
||||
{ name: 'Patriot Exosuit', category: 'Bridge', sequence: ['left','down','right','up','left','down','right'] },
|
||||
{ name: 'Emancipator Exosuit',category: 'Bridge', sequence: ['left','down','right','up','left','down','down'] },
|
||||
|
||||
// ── Engineering Bay – Support Weapons ────────────────────────────────────
|
||||
{ name: 'Machine Gun', category: 'Engineering Bay', sequence: ['down','left','down','up','right'] },
|
||||
{ name: 'Anti-Materiel Rifle', category: 'Engineering Bay', sequence: ['down','left','right','up','down'] },
|
||||
{ name: 'Stalwart', category: 'Engineering Bay', sequence: ['down','left','down','up','up','left'] },
|
||||
{ name: 'Expendable Anti-Tank', category: 'Engineering Bay', sequence: ['down','down','left','up'] },
|
||||
{ name: 'Recoilless Rifle', category: 'Engineering Bay', sequence: ['down','left','right','right','left'] },
|
||||
{ name: 'Flamethrower', category: 'Engineering Bay', sequence: ['down','left','up','down','up'] },
|
||||
{ name: 'Autocannon', category: 'Engineering Bay', sequence: ['down','left','down','up','up','right'] },
|
||||
{ name: 'Heavy Machine Gun', category: 'Engineering Bay', sequence: ['down','left','up','down','down'] },
|
||||
{ name: 'Airburst Rocket Launcher', category: 'Engineering Bay', sequence: ['down','up','up','left','right'] },
|
||||
{ name: 'Commando', category: 'Engineering Bay', sequence: ['down','left','up','down','right'] },
|
||||
{ name: 'Railgun', category: 'Engineering Bay', sequence: ['down','right','down','up','left','right'] },
|
||||
{ name: 'Spear', category: 'Engineering Bay', sequence: ['down','down','up','down','down'] },
|
||||
{ name: 'Quasar Cannon', category: 'Engineering Bay', sequence: ['down','down','up','left','right'] },
|
||||
{ name: 'Arc Thrower', category: 'Engineering Bay', sequence: ['down','right','down','up','left','left'] },
|
||||
{ name: 'Laser Cannon', category: 'Engineering Bay', sequence: ['down','left','down','up','left'] },
|
||||
{ name: 'Grenade Launcher', category: 'Engineering Bay', sequence: ['down','left','up','left','down'] },
|
||||
|
||||
// ── Engineering Bay – Equipment / Backpacks ───────────────────────────────
|
||||
{ name: 'Supply Pack', category: 'Engineering Bay', sequence: ['down','left','down','up','up','down'] },
|
||||
{ name: 'Guard Dog Rover', category: 'Engineering Bay', sequence: ['down','up','left','up','right','right'] },
|
||||
{ name: 'Guard Dog', category: 'Engineering Bay', sequence: ['down','up','left','up','right','down'] },
|
||||
{ name: 'Ballistic Shield Backpack', category: 'Engineering Bay', sequence: ['down','left','down','down','up','left'] },
|
||||
{ name: 'Shield Generator Pack', category: 'Engineering Bay', sequence: ['down','up','left','right','left','right'] },
|
||||
{ name: 'Directional Shield', category: 'Engineering Bay', sequence: ['down','left','up','up','right'] },
|
||||
|
||||
// ── Engineering Bay – Mines ───────────────────────────────────────────────
|
||||
{ name: 'Anti-Personnel Minefield', category: 'Engineering Bay', sequence: ['down','left','up','right'] },
|
||||
{ name: 'Incendiary Mines', category: 'Engineering Bay', sequence: ['down','left','left','down'] },
|
||||
{ name: 'Anti-Tank Mines', category: 'Engineering Bay', sequence: ['down','down','left','left'] },
|
||||
|
||||
// ── Robotics Workshop – Sentries ──────────────────────────────────────────
|
||||
{ name: 'Machine Gun Sentry', category: 'Robotics Workshop', sequence: ['down','up','right','right','up'] },
|
||||
{ name: 'Gatling Sentry', category: 'Robotics Workshop', sequence: ['down','up','right','left'] },
|
||||
{ name: 'Mortar Sentry', category: 'Robotics Workshop', sequence: ['down','up','right','right','down'] },
|
||||
{ name: 'Autocannon Sentry', category: 'Robotics Workshop', sequence: ['down','up','right','up','left','up'] },
|
||||
{ name: 'Rocket Sentry', category: 'Robotics Workshop', sequence: ['down','up','right','right','left'] },
|
||||
{ name: 'EMS Mortar Sentry', category: 'Robotics Workshop', sequence: ['down','up','right','down','right'] },
|
||||
{ name: 'Tesla Tower', category: 'Robotics Workshop', sequence: ['down','up','right','up','left','up','up'] },
|
||||
|
||||
// ── Defensive / Other ─────────────────────────────────────────────────────
|
||||
{ name: 'Shield Generator Relay', category: 'Defensive', sequence: ['down','up','left','right','left','down'] },
|
||||
{ name: 'Anti-Tank Emplacement', category: 'Defensive', sequence: ['down','right','right','up','left'] },
|
||||
{ name: 'Orbital Shield Generator', category: 'Defensive', sequence: ['right','right','left','down','left','down'] },
|
||||
];
|
||||
@@ -171,12 +171,13 @@ app.set('trust proxy', 1);
|
||||
app.use(helmet({
|
||||
contentSecurityPolicy: {
|
||||
directives: {
|
||||
defaultSrc: ["'self'"],
|
||||
scriptSrc: ["'self'"],
|
||||
styleSrc: ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'],
|
||||
fontSrc: ["'self'", 'https://fonts.gstatic.com'],
|
||||
imgSrc: ["'self'", 'data:'],
|
||||
connectSrc: ["'self'", 'ws:', 'wss:'],
|
||||
defaultSrc: ["'self'"],
|
||||
scriptSrc: ["'self'"],
|
||||
styleSrc: ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'],
|
||||
fontSrc: ["'self'", 'https://fonts.gstatic.com'],
|
||||
imgSrc: ["'self'", 'data:'],
|
||||
connectSrc: ["'self'", 'ws:', 'wss:'],
|
||||
upgradeInsecureRequests: null, // Nginx handles HTTPS; this breaks HTTP on LAN/dev
|
||||
},
|
||||
},
|
||||
}));
|
||||
@@ -409,7 +410,13 @@ app.get('/api/scores/me', requireAuth, (req, res) => {
|
||||
res.json({ practice, matches });
|
||||
});
|
||||
|
||||
// ── Static files ──────────────────────────────────────────────────────────────
|
||||
// ── Stratagems API (authenticated) ────────────────────────────────────────────
|
||||
// Stratagem sequences are served via API – not as a public static file.
|
||||
app.get('/api/stratagems', requireAuth, (req, res) => {
|
||||
res.json(STRATAGEMS);
|
||||
});
|
||||
|
||||
// ── Public static files (index.html, styles.css, app.js) ─────────────────────
|
||||
app.use(express.static(path.join(__dirname, 'public'), {
|
||||
etag: false,
|
||||
setHeaders: (res) => res.setHeader('Cache-Control', 'no-store'),
|
||||
|
||||
Reference in New Issue
Block a user