salvacybersec/balikci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

corsu siktim v2

Browse Source
This commit is contained in:
salvacybersec
2025-11-11 07:42:40 +03:00
parent c898ca4a65
commit 36b62be2e1
1 changed files with 26 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
backend/src/app.js
View File

@@ -12,30 +12,34 @@ const { apiLimiter } = require('./middlewares/rateLimiter');
const app = express();
const PORT = process.env.PORT || 3000;
// Security middleware - CSP ayarlarını gevşet (inline script'ler için)
// Security middleware - CSP'yi devre dışı bırak (CORS ve mixed content sorunları için)
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "http://*", "https://*"],
styleSrc: ["'self'", "'unsafe-inline'", "http://*", "https://*"],
imgSrc: ["'self'", "data:", "http://*", "https://*"],
connectSrc: ["'self'", "http://*", "https://*"],
fontSrc: ["'self'", "data:", "http://*", "https://*"],
objectSrc: ["'none'"],
mediaSrc: ["'self'"],
frameSrc: ["'none'"],
},
},
contentSecurityPolicy: false, // CSP'yi tamamen kapat
crossOriginEmbedderPolicy: false,
crossOriginResourcePolicy: { policy: "cross-origin" },
}));
// CORS - Her yerden erişime izin ver
// CORS - Her yerden erişime izin ver (tüm route'larda)
app.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS');
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');
res.header('Access-Control-Allow-Credentials', 'true');
// OPTIONS request'i için hemen cevap ver
if (req.method === 'OPTIONS') {
return res.sendStatus(200);
}
next();
});
// CORS middleware'i de ekle (çift güvence)
app.use(cors({
origin: true, // Tüm origin'lere izin ver
origin: '*', // Tüm origin'lere izin ver
credentials: true,
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With', 'Origin', 'Accept'],
}));
// Body parsing middleware
@@ -101,6 +105,11 @@ app.get('*', (req, res, next) => {
return next();
}
// CORS headers for HTML
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
res.header('Access-Control-Allow-Headers', 'Content-Type');
// Serve frontend index.html for all other routes
const frontendPath = path.join(__dirname, 'public', 'dist', 'index.html');
res.sendFile(frontendPath, (err) => {