// Modern Hastebin configuration with KeyDB as default storage const config = { // Server settings host: process.env.HASTEBIN_HOST || "0.0.0.0", port: parseInt(process.env.HASTEBIN_PORT, 10) || 7777, // Document settings keyLength: parseInt(process.env.HASTEBIN_KEY_LENGTH, 10) || 10, maxLength: parseInt(process.env.HASTEBIN_MAX_LENGTH, 10) || 400000, // Static file settings staticMaxAge: parseInt(process.env.HASTEBIN_STATIC_MAX_AGE, 10) || 86400, recompressStaticAssets: process.env.HASTEBIN_RECOMPRESS_ASSETS ? (process.env.HASTEBIN_RECOMPRESS_ASSETS.toLowerCase() === 'true') : true, // Security settings security: { // Enable Content Security Policy csp: process.env.HASTEBIN_ENABLE_CSP ? (process.env.HASTEBIN_ENABLE_CSP.toLowerCase() === 'true') : true, // Enable HTTP Strict Transport Security (only enable in production with HTTPS) hsts: process.env.HASTEBIN_ENABLE_HSTS ? (process.env.HASTEBIN_ENABLE_HSTS.toLowerCase() === 'true') : false, // Additional script sources (empty by default since we now host jQuery locally) scriptSources: process.env.HASTEBIN_SCRIPT_SOURCES ? process.env.HASTEBIN_SCRIPT_SOURCES.split(',') : [], // Allow bypassing strict CSP in development mode for testing (default: false) // This adds unsafe-inline to the policy when NODE_ENV=development bypassCSPInDev: process.env.HASTEBIN_BYPASS_CSP_IN_DEV ? (process.env.HASTEBIN_BYPASS_CSP_IN_DEV.toLowerCase() === 'true') : false, // Allow unsafe-hashes in production for event handlers (default: true) // This adds 'unsafe-hashes' to the policy for DOM event handlers allowUnsafeHashes: process.env.HASTEBIN_ALLOW_UNSAFE_HASHES ? (process.env.HASTEBIN_ALLOW_UNSAFE_HASHES.toLowerCase() === 'true') : true, // Enable Cross-Origin isolation headers (default: false) // This adds COOP, COEP, and CORP headers - can break some integrations enableCrossOriginIsolation: process.env.HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION ? (process.env.HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION.toLowerCase() === 'true') : false }, // Logging configuration logging: [ { level: process.env.HASTEBIN_LOG_LEVEL || "verbose", type: process.env.HASTEBIN_LOG_TYPE || "Console", colorize: process.env.HASTEBIN_LOG_COLORIZE ? (process.env.HASTEBIN_LOG_COLORIZE.toLowerCase() === 'true') : true, json: process.env.HASTEBIN_LOG_JSON ? (process.env.HASTEBIN_LOG_JSON.toLowerCase() === 'true') : false } ], // Key generator configuration keyGenerator: { type: process.env.HASTEBIN_KEY_GENERATOR_TYPE || "phonetic" }, // Rate limiting configuration rateLimits: { categories: { normal: { totalRequests: parseInt(process.env.HASTEBIN_RATE_LIMIT_REQUESTS, 10) || 500, every: parseInt(process.env.HASTEBIN_RATE_LIMIT_WINDOW, 10) || 60000 } } }, // Storage configuration - KeyDB as default storage: { type: process.env.HASTEBIN_STORAGE_TYPE || "redis", host: process.env.HASTEBIN_STORAGE_HOST || "redis", port: parseInt(process.env.HASTEBIN_STORAGE_PORT, 10) || 6379, password: process.env.HASTEBIN_STORAGE_PASSWORD || "", db: parseInt(process.env.HASTEBIN_STORAGE_DB, 10) || 0, expire: parseInt(process.env.HASTEBIN_STORAGE_EXPIRE, 10) || 7776000, connectionTimeout: parseInt(process.env.HASTEBIN_STORAGE_TIMEOUT, 10) || 5000 }, // Static documents documents: { about: process.env.HASTEBIN_ABOUT_DOCUMENT || "./about.md" }, // CORS settings allowedOrigins: process.env.HASTEBIN_ALLOWED_ORIGINS ? process.env.HASTEBIN_ALLOWED_ORIGINS.split(',') : ['*'] }; // Support for backwards compatibility if (process.env.REDIS_URL || process.env.REDISTOGO_URL) { config.storage.url = process.env.REDIS_URL || process.env.REDISTOGO_URL; } // Log the security configuration for debugging console.log('Security configuration:'); console.log('- CSP enabled:', config.security.csp); console.log('- HSTS enabled:', config.security.hsts); console.log('- Cross-Origin Isolation enabled:', config.security.enableCrossOriginIsolation); console.log('- CSP bypass in dev:', config.security.bypassCSPInDev); console.log('- Environment:', process.env.NODE_ENV); module.exports = config;