-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathserver.js
More file actions
56 lines (49 loc) · 1.69 KB
/
server.js
File metadata and controls
56 lines (49 loc) · 1.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import { createServer } from 'http';
import { readFile } from 'fs/promises';
import { join, extname } from 'path';
import { fileURLToPath } from 'url';
const __dirname = fileURLToPath(new URL('.', import.meta.url));
const webDir = join(__dirname, 'web');
const port = process.argv[2] || 3009;
const MIME = {
'.html': 'text/html',
'.css': 'text/css',
'.js': 'application/javascript',
'.json': 'application/json',
'.xml': 'application/xml',
'.txt': 'text/plain',
'.ico': 'image/x-icon',
};
const SECURITY_HEADERS = {
'X-Frame-Options': 'DENY',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'no-referrer',
};
createServer(async (req, res) => {
// Set security headers on every response
for (const [k, v] of Object.entries(SECURITY_HEADERS)) {
res.setHeader(k, v);
}
// Parse URL, strip query string and hash
const urlPath = new URL(req.url, `http://localhost:${port}`).pathname;
const safePath = urlPath === '/' ? '/index.html' : urlPath;
const filePath = join(webDir, safePath);
// Path traversal protection: resolved path must be inside webDir
if (!filePath.startsWith(webDir)) {
res.writeHead(403, { 'Content-Type': 'text/plain' });
res.end('Forbidden');
return;
}
try {
const data = await readFile(filePath);
const ext = extname(filePath);
const mime = MIME[ext] || 'application/octet-stream';
res.writeHead(200, { 'Content-Type': mime });
res.end(data);
} catch {
res.writeHead(404, { 'Content-Type': 'text/plain' });
res.end('Not found');
}
}).listen(port, () => {
console.log(`Server running at http://localhost:${port}`);
});