nginx-proxy-manager/manager/src/backend/app.js

'use strict';

const express     = require('express');
const bodyParser  = require('body-parser');
const compression = require('compression');
const logger      = require('./logger');

/**
 * App
 */
const app = express();
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({extended: true}));
app.use(compression());

/**
 * General Logging, BEFORE routes
 */
app.disable('x-powered-by');
app.enable('trust proxy', ['loopback', 'linklocal', 'uniquelocal']);
app.enable('strict routing');

// pretty print JSON when not live
if (process.env.NODE_ENV !== 'production') {
    app.set('json spaces', 2);
}

// General security/cache related headers + server header
app.use(function (req, res, next) {
    res.set({
        'Strict-Transport-Security': 'includeSubDomains; max-age=631138519; preload',
        'X-XSS-Protection':          '0',
        'X-Content-Type-Options':    'nosniff',
        'X-Frame-Options':           'DENY',
        'Cache-Control':             'no-cache, no-store, max-age=0, must-revalidate',
        Pragma:                      'no-cache',
        Expires:                     0
    });
    next();
});

/**
 * Routes
 */
app.use('/css',    express.static('dist/css'));
app.use('/fonts',  express.static('dist/fonts'));
app.use('/images', express.static('dist/images'));
app.use('/js',     express.static('dist/js'));
app.use('/api',    require('./routes/api/main'));
app.use('/',       require('./routes/main'));

// production error handler
// no stacktraces leaked to user
app.use(function (err, req, res, next) {
    let payload = {
        error: {
            code:    err.status,
            message: err.public ? err.message : 'Internal Error'
        }
    };

    if (process.env.NODE_ENV === 'development') {
        payload.debug = {
            stack:    typeof err.stack !== 'undefined' && err.stack ? err.stack.split('\n') : null,
            previous: err.previous
        };
    }

    // Not every error is worth logging - but this is good for now until it gets annoying.
    if (!err.public && typeof err.stack !== 'undefined' && err.stack) {
        logger.warn(err.stack);
    }

    res.status(err.status || 500).send(payload);
});

module.exports = app;