spark-wallet icon indicating copy to clipboard operation
spark-wallet copied to clipboard

Published 20 hours ago verified publisher icon shesek

Reduce reliance on external dependencies

Open shesek opened this issue 6 years ago • 1 comments

Some candidates for removal that could easily be re-implemented inside Spark:

  • superagent (only used for a simple HTTP GET request, can be replaced with the built-in http module)

  • helmet (sets security headers)

  • js-yaml (only used to format objects in a human-readable manner, we don't really need yaml)

  • nanoid (secure random string generator)

  • is-ip (few-liner dependency)

  • ordinal (few-liner dependency)

shesek avatar Sep 11 '18 02:09 shesek

These are the headers set by helmet, the most important one being the content security policy:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data:
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

There are also a few more that are sent to older browsers based on browser sniffing, like X-Content-Security-Policy and X-WebKit-CSP. Should look into helmet to get the full list.

shesek avatar Sep 11 '18 14:09 shesek