From bf47191dd4e46fc6d600387a0b323d7b26bf5eaa Mon Sep 17 00:00:00 2001
From: gitmotion <43588713+gitmotion@users.noreply.github.com>
Date: Fri, 20 Jun 2025 12:01:32 -0700
Subject: [PATCH] Add helmet config and deprecate previous
ALLOWED_IFRAME_ORIGINS
---
.env.example | 3 +-
Dockerfile | 2 +-
README.md | 120 ++++++++++++++++++++++++-------------
docker-compose.yml | 4 +-
package-lock.json | 10 ++++
package.json | 1 +
src/app.js | 5 +-
src/config/index.js | 6 +-
src/middleware/security.js | 26 +++++++-
9 files changed, 124 insertions(+), 53 deletions(-)
diff --git a/.env.example b/.env.example
index 27b988d..0cf7851 100644
--- a/.env.example
+++ b/.env.example
@@ -13,9 +13,10 @@ BASE_URL=http://localhost:3000/
# (default: '*' if empty, add your base_url if you want to restrict only to base_url)
# When adding multiple origins, base_url will be included by default
# ALLOWED_ORIGINS: http://internalip:port,https://subdomain.example.com
-ALLOWED_ORIGINS=*
+ALLOWED_ORIGINS=
# Node environment (default: production)
+# When set to 'development', ALLOWED_ORIGINS will default to '*'
NODE_ENV=production
#########################################
diff --git a/Dockerfile b/Dockerfile
index 04a9654..fa00d48 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
# Base stage for shared configurations
-FROM node:20-alpine as base
+FROM node:22-alpine as base
# Install python and create virtual environment with minimal dependencies
RUN apk add --no-cache python3 py3-pip && \
diff --git a/README.md b/README.md
index c93f666..88d0874 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,7 @@ A stupid simple file upload application that provides a clean, modern interface
No auth (unless you want it now!), no storage, no nothing. Just a simple file uploader to drop dumb files into a dumb folder.
## Table of Contents
+
- [Quick Start](#quick-start)
- [Production Deployment with Docker](#production-deployment-with-docker)
- [Local Development (Recommended Quick Start)](LOCAL_DEVELOPMENT.md)
@@ -21,44 +22,51 @@ No auth (unless you want it now!), no storage, no nothing. Just a simple file up
## Quick Start
### Option 1: Docker (For Dummies)
+
```bash
# Pull and run with one command
docker run -p 3000:3000 -v ./uploads:/app/uploads dumbwareio/dumbdrop:latest
```
+
1. Go to http://localhost:3000
2. Upload a File - It'll show up in ./uploads
3. Celebrate on how dumb easy this was
### Option 2: Docker Compose (For Dummies who like customizing)
+
Create a `docker-compose.yml` file:
+
```yaml
services:
- dumbdrop:
- image: dumbwareio/dumbdrop:latest
- ports:
- - 3000:3000
- volumes:
- # Where your uploaded files will land
- - ./uploads:/app/uploads
- environment:
- # Explicitly set upload directory inside the container
- UPLOAD_DIR: /app/uploads
- # The title shown in the web interface
- DUMBDROP_TITLE: DumbDrop
- # Maximum file size in MB
- MAX_FILE_SIZE: 1024
- # Optional PIN protection (leave empty to disable)
- DUMBDROP_PIN: 123456
- # Upload without clicking button
- AUTO_UPLOAD: false
- # The base URL for the application
- # You must update this to the url you use to access your site
- BASE_URL: http://localhost:3000
+ dumbdrop:
+ image: dumbwareio/dumbdrop:latest
+ ports:
+ - 3000:3000
+ volumes:
+ # Where your uploaded files will land
+ - ./uploads:/app/uploads
+ environment:
+ # Explicitly set upload directory inside the container
+ UPLOAD_DIR: /app/uploads
+ # The title shown in the web interface
+ DUMBDROP_TITLE: DumbDrop
+ # Maximum file size in MB
+ MAX_FILE_SIZE: 1024
+ # Optional PIN protection (leave empty to disable)
+ DUMBDROP_PIN: 123456
+ # Upload without clicking button
+ AUTO_UPLOAD: false
+ # The base URL for the application
+ # You must update this to the url you use to access your site
+ BASE_URL: http://localhost:3000
```
+
Then run:
+
```bash
docker compose up -d
```
+
1. Go to http://localhost:3000
2. Upload a File - It'll show up in ./uploads
3. Rejoice in the glory of your dumb uploads
@@ -90,21 +98,22 @@ For local development setup, troubleshooting, and advanced usage, see the dedica
### Environment Variables
-| Variable | Description | Default | Required |
-|------------------------|------------------------------------------------------------------|-----------------------------------------|----------|
-| PORT | Server port | 3000 | No |
-| BASE_URL | Base URL for the application | http://localhost:PORT | No |
-| MAX_FILE_SIZE | Maximum file size in MB | 1024 | No |
-| DUMBDROP_PIN | PIN protection (4-10 digits) | None | No |
-| DUMBDROP_TITLE | Site title displayed in header | DumbDrop | No |
-| APPRISE_URL | Apprise URL for notifications | None | No |
-| APPRISE_MESSAGE | Notification message template | New file uploaded {filename} ({size}), Storage used {storage} | No |
-| APPRISE_SIZE_UNIT | Size unit for notifications (B, KB, MB, GB, TB, or Auto) | Auto | No |
-| AUTO_UPLOAD | Enable automatic upload on file selection | false | No |
-| ALLOWED_EXTENSIONS | Comma-separated list of allowed file extensions | None | No |
-| ALLOWED_IFRAME_ORIGINS | Comma-separated list of origins allowed to embed the app in an iframe | None | No |
-| UPLOAD_DIR | Directory for uploads (Docker/production; should be `/app/uploads` in container) | None (see LOCAL_UPLOAD_DIR fallback) | No |
-| LOCAL_UPLOAD_DIR | Directory for uploads (local dev, fallback: './local_uploads') | ./local_uploads | No |
+| Variable | Description | Default | Required |
+| -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | -------- |
+| PORT | Server port | 3000 | No |
+| BASE_URL | Base URL for the application | http://localhost:PORT | No |
+| MAX_FILE_SIZE | Maximum file size in MB | 1024 | No |
+| DUMBDROP_PIN | PIN protection (4-10 digits) | None | No |
+| DUMBDROP_TITLE | Site title displayed in header | DumbDrop | No |
+| APPRISE_URL | Apprise URL for notifications | None | No |
+| APPRISE_MESSAGE | Notification message template | New file uploaded {filename} ({size}), Storage used {storage} | No |
+| APPRISE_SIZE_UNIT | Size unit for notifications (B, KB, MB, GB, TB, or Auto) | Auto | No |
+| AUTO_UPLOAD | Enable automatic upload on file selection | false | No |
+| ALLOWED_EXTENSIONS | Comma-separated list of allowed file extensions | None | No |
+| ALLOWED_IFRAME_ORIGINS (deprecated: see ALLOWED_ORIGINS) | Comma-separated list of origins allowed to embed the app in an iframe | None | No |
+| ALLOWED_ORIGINS | You can restrict CORS to your BASE_URL or a comma-separated list of specified origins, which will automatically include your base_url | '\*' | No |
+| UPLOAD_DIR | Directory for uploads (Docker/production; should be `/app/uploads` in container) | None (see LOCAL_UPLOAD_DIR fallback) | No |
+| LOCAL_UPLOAD_DIR | Directory for uploads (local dev, fallback: './local_uploads') | ./local_uploads | No |
- **UPLOAD_DIR** is used in Docker/production. If not set, LOCAL_UPLOAD_DIR is used for local development. If neither is set, the default is `./local_uploads`.
- **Docker Note:** The Dockerfile now only creates the `uploads` directory inside the container. The host's `./local_uploads` is mounted to `/app/uploads` and should be managed on the host system.
@@ -114,50 +123,72 @@ For local development setup, troubleshooting, and advanced usage, see the dedica
See `.env.example` for a template and more details.
-ALLOWED_IFRAME_ORIGINS
+ALLOWED_IFRAME_ORIGINS (DEPRECATED: see ALLOWED_ORIGINS)
-To allow this app to be embedded in an iframe on specific origins (such as Organizr), set the `ALLOWED_IFRAME_ORIGINS` environment variable. For example:
+~~To allow this app to be embedded in an iframe on specific origins (such as Organizr), set the `ALLOWED_IFRAME_ORIGINS` environment variable. For example:~~
```env
ALLOWED_IFRAME_ORIGINS=https://organizr.example.com,https://myportal.com
```
-- If not set, the app will only allow itself to be embedded in an iframe on the same origin (default security).
-- If set, the app will allow embedding in iframes on the specified origins and itself.
-- **Security Note:** Only add trusted origins. Allowing arbitrary origins can expose your app to clickjacking and other attacks.
+- ~~If not set, the app will only allow itself to be embedded in an iframe on the same origin (default security).~~
+- ~~If set, the app will allow embedding in iframes on the specified origins and itself.~~
+- ~~**Security Note:** Only add trusted origins. Allowing arbitrary origins can expose your app to clickjacking and other attacks.~~
+
+ALLOWED_ORIGINS
+
+By default `ALLOWED_ORIGINS` is set to '\*'
+
+```env
+ALLOWED_ORIGINS=https://organizr.example.com,https://myportal.com,http://internalip:port
+```
+
+- If you would like to restrict CORS to your BASE_URL, you can set it like this: `ALLOWED_ORIGINS=http://localhost:3000`
+- If you would like to allow multiple origins, you can set it like this: `ALLOWED_ORIGINS=http://internalip:port,https://subdomain.domain.tld`
+ - This will automatically include your BASE_URL in the list of allowed origins.
+
+
File Extension Filtering
To restrict which file types can be uploaded, set the `ALLOWED_EXTENSIONS` environment variable. For example:
+
```env
ALLOWED_EXTENSIONS=.jpg,.jpeg,.png,.pdf,.doc,.docx,.txt
```
+
If not set, all file extensions will be allowed.
+
Notification Setup
#### Message Templates
+
The notification message supports the following placeholders:
+
- `{filename}`: Name of the uploaded file
- `{size}`: Size of the file (formatted according to APPRISE_SIZE_UNIT)
- `{storage}`: Total size of all files in upload directory
Example message template:
+
```env
APPRISE_MESSAGE: New file uploaded {filename} ({size}), Storage used {storage}
```
Size formatting examples:
+
- Auto (default): Chooses nearest unit (e.g., "1.44MB", "256KB")
- Fixed unit: Set APPRISE_SIZE_UNIT to B, KB, MB, GB, or TB
Both {size} and {storage} use the same formatting rules based on APPRISE_SIZE_UNIT.
#### Notification Support
+
- Integration with [Apprise](https://github.com/caronc/apprise?tab=readme-ov-file#supported-notifications) for flexible notifications
- Support for all Apprise notification services
- Customizable notification messages with filename templating
@@ -167,6 +198,7 @@ Both {size} and {storage} use the same formatting rules based on APPRISE_SIZE_UN
## Security
### Features
+
- Variable-length PIN support (4-10 digits)
- Constant-time PIN comparison
- Input sanitization
@@ -178,6 +210,7 @@ Both {size} and {storage} use the same formatting rules based on APPRISE_SIZE_UN
## Technical Details
### Stack
+
- **Backend**: Node.js (>=20.0.0) with Express
- **Frontend**: Vanilla JavaScript (ES6+)
- **Container**: Docker with multi-stage builds
@@ -186,6 +219,7 @@ Both {size} and {storage} use the same formatting rules based on APPRISE_SIZE_UN
- **Notifications**: Apprise integration
### Dependencies
+
- express: Web framework
- multer: File upload handling
- apprise: Notification system
@@ -210,8 +244,10 @@ See [Local Development (Recommended Quick Start)](LOCAL_DEVELOPMENT.md) for loca
---
+
Made with ❤️ by [DumbWare.io](https://dumbware.io)
## Future Features
+
- Camera Upload for Mobile
-> Got an idea? [Open an issue](https://github.com/dumbwareio/dumbdrop/issues) or [submit a PR](https://github.com/dumbwareio/dumbdrop/pulls)
+ > Got an idea? [Open an issue](https://github.com/dumbwareio/dumbdrop/issues) or [submit a PR](https://github.com/dumbwareio/dumbdrop/pulls)
diff --git a/docker-compose.yml b/docker-compose.yml
index 85ceb49..5ce33c0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,8 +16,8 @@ services:
BASE_URL: http://localhost:3000 # The base URL for the application, You must update this to the url you use to access your site
# Comma-separated list of allowed origins for CORS
- # (default: '*' if empty, add your base_url if you want to restrict only to base_url)
- # When adding multiple origins, base_url will be included by default
+ # (default: '*' if empty, replace with your base_url if you want to restrict only to base_url)
+ # When adding multiple origins, base_url will be included by default and does not need to the list
# ALLOWED_ORIGINS: http://internalip:port,https://subdomain.example.com
# Additional available environment variables (commented out with defaults)
diff --git a/package-lock.json b/package-lock.json
index c7e9256..4b0ac54 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,6 +15,7 @@
"dotenv": "^16.0.3",
"express": "^4.18.2",
"express-rate-limit": "^7.1.5",
+ "helmet": "^8.1.0",
"multer": "^1.4.5-lts.1",
"toastify-js": "^1.12.0"
},
@@ -1424,6 +1425,15 @@
"node": ">= 0.4"
}
},
+ "node_modules/helmet": {
+ "version": "8.1.0",
+ "resolved": "https://registry.npmjs.org/helmet/-/helmet-8.1.0.tgz",
+ "integrity": "sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==",
+ "license": "MIT",
+ "engines": {
+ "node": ">=18.0.0"
+ }
+ },
"node_modules/http-errors": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz",
diff --git a/package.json b/package.json
index 5b102aa..fbc064e 100644
--- a/package.json
+++ b/package.json
@@ -21,6 +21,7 @@
"dotenv": "^16.0.3",
"express": "^4.18.2",
"express-rate-limit": "^7.1.5",
+ "helmet": "^8.1.0",
"multer": "^1.4.5-lts.1",
"toastify-js": "^1.12.0"
},
diff --git a/src/app.js b/src/app.js
index 3f6aabe..b1379fb 100644
--- a/src/app.js
+++ b/src/app.js
@@ -6,6 +6,7 @@
const express = require('express');
const cors = require('cors');
+const helmet = require('helmet');
const cookieParser = require('cookie-parser');
const path = require('path');
const fs = require('fs');
@@ -14,7 +15,7 @@ const fsPromises = require('fs').promises;
const { config, validateConfig } = require('./config');
const logger = require('./utils/logger');
const { ensureDirectoryExists } = require('./utils/fileUtils');
-const { requirePin } = require('./middleware/security');
+const { getHelmetConfig, requirePin } = require('./middleware/security');
const { safeCompare } = require('./utils/security');
const { initUploadLimiter, pinVerifyLimiter, downloadLimiter } = require('./middleware/rateLimiter');
const { injectDemoBanner, demoMiddleware } = require('./utils/demoMode');
@@ -32,6 +33,8 @@ app.set('trust proxy', 1);
app.use(cors(getCorsOptions(BASE_URL)));
app.use(cookieParser());
app.use(express.json());
+app.use(helmet(getHelmetConfig()));
+
// --- AUTHENTICATION MIDDLEWARE FOR ALL PROTECTED ROUTES ---
app.use((req, res, next) => {
// List of paths that should be publicly accessible
diff --git a/src/config/index.js b/src/config/index.js
index c80a675..96fd646 100644
--- a/src/config/index.js
+++ b/src/config/index.js
@@ -79,7 +79,7 @@ function determineUploadDirectory() {
* Returns true if NODE_ENV is not 'production' and UPLOAD_DIR is not set (i.e., not Docker)
*/
function isLocalDevelopment() {
- return process.env.NODE_ENV !== 'production' && !process.env.UPLOAD_DIR;
+ return process.env.NODE_ENV !== 'production';
}
/**
@@ -119,10 +119,10 @@ const config = {
*/
port: process.env.PORT,
/**
- * Node environment (default: 'development')
+ * Node environment (default: 'production')
* Set via NODE_ENV in .env
*/
- nodeEnv: process.env.NODE_ENV || 'production',
+ nodeEnv: process.env.NODE_ENV,
/**
* Base URL for the app (default: http://localhost:${PORT})
* Set via BASE_URL in .env
diff --git a/src/middleware/security.js b/src/middleware/security.js
index e307c9a..cc101cf 100644
--- a/src/middleware/security.js
+++ b/src/middleware/security.js
@@ -9,11 +9,11 @@ const logger = require('../utils/logger');
const PORT = process.env.PORT || 3000;
const NODE_ENV = process.env.NODE_ENV || 'production';
const BASE_URL = process.env.BASE_URL || `http://localhost:${PORT}`;
-// const { config } = require('../config');
+// const { config } = require('../config');
/**
* Security headers middleware
- * DEPRECATED
+ * DEPRECATED: Use helmet middleware instead for security headers
*/
// function securityHeaders(req, res, next) {
// // Content Security Policy
@@ -47,6 +47,25 @@ const BASE_URL = process.env.BASE_URL || `http://localhost:${PORT}`;
// next();
// }
+function getHelmetConfig() {
+ return {
+ noSniff: true, // Prevent MIME type sniffing
+ frameguard: { action: 'deny' }, // Prevent clickjacking
+ hsts: { maxAge: 31536000, includeSubDomains: true }, // Enforce HTTPS for one year
+ crossOriginEmbedderPolicy: true,
+ crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' },
+ crossOriginResourcePolicy: { policy: 'same-origin' },
+ referrerPolicy: { policy: 'no-referrer-when-downgrade' }, // Set referrer policy
+ ieNoOpen: true, // Prevent IE from executing downloads
+ // Disabled Helmet middlewares:
+ contentSecurityPolicy: false, // Disable CSP for now
+ dnsPrefetchControl: true, // Disable DNS prefetching
+ permittedCrossDomainPolicies: false,
+ originAgentCluster: false,
+ xssFilter: false,
+ };
+}
+
/**
* PIN protection middleware
* @param {string} PIN - Valid PIN for comparison
@@ -86,6 +105,7 @@ function requirePin(PIN) {
}
module.exports = {
- // securityHeaders,
+ // securityHeaders, // Deprecated, use helmet instead
+ getHelmetConfig,
requirePin
};
\ No newline at end of file